[25060] in bugtraq
Re: Ability to read buddy list of AIM users
daemon@ATHENA.MIT.EDU (Andrew J. Stackhouse)
Mon Apr 15 14:55:59 2002
Message-ID: <008301c1e49a$2b74dca0$3401a8c0@vertexf5g4s840>
From: "Andrew J. Stackhouse" <ajs@codewolf.com>
To: "sunny licious" <sunnylicious@hotmail.com>, <bugtraq@securityfocus.com>
Date: Mon, 15 Apr 2002 12:25:03 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Actually on my Win2k install (AIM version 4.7.2480), the file is in:
C:\Documents and Settings\<w2k user name>\Application Data\Aim\<AIM User
Name>
which would not be accessable by anyone but the user or someone with
Administrator's rights
----- Original Message -----
From: "sunny licious" <sunnylicious@hotmail.com>
To: <bugtraq@securityfocus.com>
Sent: Monday, April 15, 2002 11:30 AM
Subject: Ability to read buddy list of AIM users
>
>
> Ive been able to do this on publicly accessible
> computers...such as university labs...You can see
> the buddy list of other people who have signed on to
> AIM on that computer. On win2k in the folder named
> winnt/AIM95/"screenname" there is a file called
> userinfo.bag which stores all the names on your
> buddy list...all you have to do is traverse to a different
> screenname directory and open up the file with any
> editor. In win XP the folder is in
> winnt/system32/aim95. This pretty much works on
> any OS although I havent tried linux and Mac yet.
> Although this may not be a serious threat, its pretty
> much a violation of privacy...and that is a right we all
> have correct?? corrrect..Its pretty easy for anyone
> being nosy to start harrasing people on your buddy
> list. I hope this isnt a repost. Contacting AOL also
> pretty much all that needs to be done is check out the
> aim95 folder for a file called userinfo.bag
