AOL Instant Messages Hacked

America Online is scrambling to plug security holes in its Instant Messenger, after a small group of teen-age hackers boasted it can commandeer any AOL Instant Messenger account, using only the screen name of the user.

AIM allows users to communicate in real time by typing messages to each other -- instant chats, in effect.

In Email messages to technology media, the hackers claim they enjoy making trouble by, among other things, sending malicious messages to friends of AOL account holders.

An AOL spokesman said the company is aware of the situation and is "deploying security measures to defeat it."

"To date, we have not heard from a whole lot of members, but it is important to us to provide the highest level of security possible,"
said Rich D'Amato.

AOL promises prosecution

D'Amato said AOL is investigating the security breach and is trying to track down the alleged hackers.

"This is hacker behavior that has clearly crossed over into illegal hacker behavior, and we will notify the proper authorities if we can identify them and intend to prosecute," D'Amato said.

The teens say they are using an AOL staff tool they found to change "AIM" passwords, locking the real owners out of their accounts and giving the hackers access to the users' "buddy lists."

AOL says there are more than 40 million registered AIM users, sending more than 470 million instant messages daily.

Security consultant Jon Klein of Tinton Falls, N.J., said the AIM programmers may have been lax in worrying about security.

As computers have gotten cheaper and faster, programmers have gotten sloppier and sloppier with their programming," said Klein.

That sloppiness, said Klein, "allowed a hacker to enter in a user's handle and get an invalid password when registering, and then go to another part of the program and allow the user to change the password. They should have made the user authenticate with the old password before allowing them to change the password. This is just a simple case of programmer sloppiness and lack of extensive testing."

The latest version of AIM, 3.0, debuted last August during a feud with Microsoft over its own instant-messaging product.

©2000 CBS Worldwide Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. Reuters Limited contributed to this report

Comments

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.

Watch Now

New Android App

For your Android phone and tablet, download the FREE redesigned app, featuring CBSN, live 24/7 news.

Download
The all new
CBS News App for Android® for iPad® for iPhone®
Fully redesigned. Featuring CBSN, 24/7 live news. Get the App