[14850] in bugtraq
AOL Instant Messenger
daemon@ATHENA.MIT.EDU (Daniel P. Stasinski)
Tue May 9 14:09:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002401bfb918$7310d5a0$1ef084ce@karemor.com>
Date: Mon, 8 May 2000 11:08:44 -0700
Reply-To: "Daniel P. Stasinski" <daniels@KAREMOR.COM>
From: "Daniel P. Stasinski" <daniels@KAREMOR.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
When sending a file to someone using AOL's Instant Messenger
program, the entire local path of your file is shown to the
recipient. Not only is this an invasion of privacy, it also
opens the door to known security holes in web browsers where
access can be gained to specific files provided that you know the
full path to those files, or guessed file names in that same
path.
AOL has not responded to my direct reports.
Daniel
