Mailing List Archive

WorkAround/Real Fix:
Or better yet lock the screen while you are away.

This is like leaving logined in as root on an UNIX box and
letting other people have physical access to the machine.


Thanks,
Andrew Pinski

Real Solution = common sense

Some things just can't be solved through technology.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

I don't think the "hide window while away" feature was designed with
security in mind. I believe its more for keeping the desktop clear. Someone
with local access could also just as easily turn off away and look at the
windows....


----- Original Message -----
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>; "Full Disclosure"
<full-disclosure@lists.netsys.com>; "SecurITeam News" <news@securiteam.com>;
"Vuln-Dev" <vuln-dev@securityfocus.com>
Sent: Sunday, August 04, 2002 6:56 PM
Subject: AOL Instant Messenger - Away Setting and Snoopers


> Yet another reason never to use AOL...
>
> AOL Instant Messenger is used by many millions of people to send and
receive
> messages in real-time. It features several "states" for a user, such as
> away, idle, etc. that change the behavior of the client when set. AOL
> employs a feature "Hide windows while away" that, as its name implies,
hides
> all windows in AIM while the user is away. However, even with windows
> hidden, it is possible for snoopers to view conversation.
>
> If a user sends you a message while you are away, and regardless of "hide
> windows" being enabled, the entire conversation between the two parties
> becomes readable to anyone with access to the terminal just by clicking
the
> desired screen name.
>
> Example:
>
> 1) 2 users chat...
> 2) user A leaves, setting away status
> 3) user B checks with a simple "are you there?" type message
> 4) upon receiving the away, no further messages are exchanged, as user A
has
> left
> 5) someone with local access checks the away queue for info
> 6) checking each screen name, he/she saves each transcript
> 7) user A returns, and responds to the message
> 8) chat continues...
>
> Workaround: Don't use away state, or close all conversation windows
> yourself; never use the hide window feature, that is just lazy. :-)
>
> "The reason the mainstream is thought
> of as a stream is because it is
> so shallow."
> - Author Unknown

>i fail to see the importance of this. the hide window option is primarily
>for preventing full screen applications (particularly games) from crashing
>or switching to the desktop when another user messages you. i highly doubt
>the hide window option is intended for any security purposes. if you're
>conserned with people viewing your screen, lock it with a screensaver or
>nt/2k/xp "lock" feature.

"Hide window" stops people from viewing your windows. With this,
somebody *could* view your window. It really is a matter of information
disclosure -- do I need to see three pages of chat to tell me the relevance
of 2 messages while I'm away? Not likely...

certinly, if you don't use the "hide" option people can read your messages.
who cares? if there is a situation where your computer is on and your aim
message dialaogs or even your aim panel is displayed then the following must
be correct. 1) your computer is currently on 2) no security methods have
been engaged to prevent computer manipulation. thus it doesn't matter if
you use the hide or not. if a person wants to know what you're chatting
about there is nothing stopping them from finding out if the previous
situations were true. anyone that would even CONSIDER this as a "security
option" needs some assistance. i suppose it depends on what your uses are.
since the very first time i ever used aim i saw this option as a solution of
instant message popup windows of crashing my games when i'm playing them
full screen. i suppose someone who sees it as a security method would also
see the minimize button as a method of hiding their data as well as the
power button the ultimate form of security. do you see my point?


----- Original Message -----
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "Mark Shirley" <cyberfrog@core5.net>; "BugTraq"
<bugtraq@securityfocus.com>; "Full Disclosure"
<full-disclosure@lists.netsys.com>; "SecurITeam News" <news@securiteam.com>;
"Vuln-Dev" <vuln-dev@securityfocus.com>
Sent: Monday, August 05, 2002 3:09 AM
Subject: Re: AOL Instant Messenger - Away Setting and Snoopers


> >i fail to see the importance of this. the hide window option is
primarily
> >for preventing full screen applications (particularly games) from
crashing
> >or switching to the desktop when another user messages you. i highly
doubt
> >the hide window option is intended for any security purposes. if you're
> >conserned with people viewing your screen, lock it with a screensaver or
> >nt/2k/xp "lock" feature.
>
> "Hide window" stops people from viewing your windows. With this,
> somebody *could* view your window. It really is a matter of information
> disclosure -- do I need to see three pages of chat to tell me the
relevance
> of 2 messages while I'm away? Not likely...
>
>
>