AIM forced behavior "issue":
>
By: Brian
Intro:
This
article will describe an "issue" I have found
with the the 4.7 version of the official AIM client.
This"issue" involves the ability to automatically
force an AIM client into performing various functions.
This is achieved when the user loads a webpage created
with specific code in the META HTTP-EQUIV="refresh"
html tag.
Testing
has shown that this "issue" effects anyone
running the 4.7 version of the official AIM client on
win 9x, Me, XP, 2000, or the 4.5 version on Mac OS9/X.
The AIM client available for Linux is not effected.
The 4.8 windows client now gives you a warning as does
the 5.0 Beta*. (Perhaps it effects others as well...
NT?, CE? if you notice that it's able to effect any
of these or any others, email brian@mindflip.org
and let me know so I can update this list)
Discovering
this "issue" has inspired me to stop using
the official AIM client. I now use Trillian, http://www.trillian.cc
which offers similar features while not being subject
to this "issue".
Explanation
( how it works ):
On
a whim I decided to send someone an AIM greeting card.
On the last page of that process AOL goes ahead and
pops up an AIM window with an IM going to the SN for
the person you have specified to receive the card. The
IM says something to the effect of "You've got
a greeting, click here." . Convenient, this way
all you have to do is hit send and it will IM the person
to let them know. This greeting card page poped up the
window automatically, I didn't have to click any links
or OK anything, just load the page. That's right kids,
If AOL can pop up a new IM window automatically with
a webpage, so can anyone else.
Viewing
the source of that page showed me that there was code
in the META refresh tag...
<META
HTTP-EQUIV="refresh" CONTENT=4;URL=aim:goim?screenname=mybuddy&message=buch_of_stuff_here>
Various
lists exist all over the net explaining how to create
AIM links. I had seen them before and looked at one
again for reference. I derived the following link code,
usually surrounded by <a href=" etc..., which
adds a buddy list group and a series of biddies:
aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg
So
by replacing their META HTTP-EQUIV="refresh"
code with my own...
<META
HTTP-EQUIV="refresh" CONTENT=0;URL=aim:addbuddy?listofscreennames=
mindfliporg,mfliporb,mflipmax,
mflips0nic,mflipzorcon&groupname=mindfliporg>
(all on one line)
Once
I let my test webpage load, which included the above
line in the HTML, I managed to add a list of buddy's
and a group to my buddy list.
See
it in action:
To
determine if this issue effects you, make sure you are
running AIM ( in some cases accessing this page launches
the AIM client automatically ) and then visit the test
page I have created. You don't have to click this link
to visit the page. You can copy paste the link into
your favorite browser and hit enter. ( Please see warning
below before visiting ):
http://www.mindflip.org/aimrefresh/
WARNING: Just so you know ahead of time, viewing
the web page in the above link will add a group called
"mindfliporg" to your AIM buddy list list
along with some mindfliporg member screen names as shown
in the above example, feel free to delete this group
and buddy's at any time afterward. You can also just
leave them there and IM us if we are ever on ;).
Potential
Evil Uses ( why this is an "issue" to me and
should be to you ):
As
with all findings like this, there is always the potential
for exploitation. I suggest you do not go down that
road. If you do, I nor mindflip are responsible for
what occurs.
Using
the same method one can:
°
Register a new user to that aim client and make that
user attempt to logon now.
° Launch and force users to join any chat room.
° Set the buddy icon.
° Automatically fetch a file from another AIM user
( will show warning unless it has been disabled ).
All
a person would have to do is check out the list of available
"aim:" links and use a little imagination.
With the use of a little javascript OnLoad() one could
potentially force many behaviors with one page load.
° Think advertising... visit my corporate website
and all of the sudden you have a branded buddy list.
° Think automatic direct connection...
°
Start thinking about doing away with that AIM client
with the "issue".
Comments? Questions? email brian@mindflip.org
* Thanks to Fett for the Mac and Win Me information.
Thanks to Bob @ InstantMessagingPlanet.com for the info
about 5.0 Beta
See the bugtraq posting: AIM
forced behavior "issue"
See
the press coverage for this article: "AOL's
AIM Forces the Issue"
Brian
|
