AIM users prone to name hijacks

Flaws in the server used to sign up for AOL's Instant Messenger give hackers a way to steal other users' names. But you can protect yourself

Users of America Online's Instant Messenger application are in danger of losing their on-screen identities.

On Wednesday, two AOL user sites -- and -- revealed that the accounts of AIM users were being stolen by hackers using a technique that has been wafting about the Internet for weeks.

"This vulnerability was known to AOL for a significant amount of time before we released it," the two sites said in a combined statement released Wednesday. "It was known to a large underground user base of AIM aficionados... and can be utilised without significant expertise in or knowledge of AOL."

Adrian Lamo, the founder and a staff writer for Inside-AOL, accused the Internet giant of not closing the hole in a timely manner.

"AOL isn't really paying attention to policy flaws and security flaws, and by bringing attention to it a public forum, we hope to get AOL to fix the problem," Lamo said.

The flaw has been used for more than a month by hackers to compromise AIM accounts, but the hijacking has picked up significantly in the past few weeks.

AOL could not be reached for comment prior to publication of this article.

Using an internal AOL administration tool readily available on the Internet, name hijackers can send a specific set of commands to the AIM registration server, instructing it to grant a name that already exists. The technique exploits a flaw in the AIM servers that allows a vandal to steal a user's account only if a name consisting of all but the first two letters of the user's account has not been registered. For example, if a hacker wanted to steal the account of "Joe User," he could steal it by registering "e User" with the AIM server.

Using an administration tool, the hacker can add the first two letters to the name.

Until AOL fixes the server, users can protect themselves by registering the name that hackers use (the name minus the first two letters). To do so, follow these steps:

1) Go to this AOL IM registration page. 2) Register your name minus the first two letters. If you are EXAMPLENAME, then register AMPLENAME.

If the registration process says that the "nick" was taken, then it's likely that the name has been legitimately registered. If it allows the name to be registered, then it means that the original name is protected against hijacking.

The flaw only makes stand-alone AIM users vulnerable. Members of America Online -- that is, people who use AOL for Internet access -- don't have to worry, according to

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.