AOL Instant Messages Hacked

AOL America Online Instant Messenger AIM hackers CBS

America Online is scrambling to plug security holes in its Instant Messenger, after a small group of teen-age hackers boasted it can commandeer any AOL Instant Messenger account, using only the screen name of the user.

AIM allows users to communicate in real time by typing messages to each other -- instant chats, in effect.

In Email messages to technology media, the hackers claim they enjoy making trouble by, among other things, sending malicious messages to friends of AOL account holders.

An AOL spokesman said the company is aware of the situation and is "deploying security measures to defeat it."

"To date, we have not heard from a whole lot of members, but it is important to us to provide the highest level of security possible,"
said Rich D'Amato.

AOL promises prosecution

D'Amato said AOL is investigating the security breach and is trying to track down the alleged hackers.

"This is hacker behavior that has clearly crossed over into illegal hacker behavior, and we will notify the proper authorities if we can identify them and intend to prosecute," D'Amato said.

The teens say they are using an AOL staff tool they found to change "AIM" passwords, locking the real owners out of their accounts and giving the hackers access to the users' "buddy lists."

AOL says there are more than 40 million registered AIM users, sending more than 470 million instant messages daily.

Security consultant Jon Klein of Tinton Falls, N.J., said the AIM programmers may have been lax in worrying about security.

As computers have gotten cheaper and faster, programmers have gotten sloppier and sloppier with their programming," said Klein.

That sloppiness, said Klein, "allowed a hacker to enter in a user's handle and get an invalid password when registering, and then go to another part of the program and allow the user to change the password. They should have made the user authenticate with the old password before allowing them to change the password. This is just a simple case of programmer sloppiness and lack of extensive testing."

The latest version of AIM, 3.0, debuted last August during a feud with Microsoft over its own instant-messaging product.

©2000 CBS Worldwide Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. Reuters Limited contributed to this report
  • CBSNews.com staff CBSNews.com staff

Comments