[25093] in bugtraq
RE: Ability to read buddy list of AIM users
daemon@ATHENA.MIT.EDU (emann@questinc.org)
Wed Apr 17 02:04:18 2002
Message-ID: <E00ECDED326C0B4288A0B4F7F02DE2DD131A57@mickey.questinc.org>
From: emann@questinc.org
To: sunnylicious@hotmail.com, bugtraq@securityfocus.com
Date: Mon, 15 Apr 2002 12:20:03 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
I do not have the ability to try this as I am at work, but if on an NTFS
system, could you not lock down the users screenname directory so only they
have access to it. This would probably solve the problem rather easily.
-----Original Message-----
From: sunny licious [mailto:sunnylicious@hotmail.com]
Sent: Monday, April 15, 2002 11:30 AM
To: bugtraq@securityfocus.com
Subject: Ability to read buddy list of AIM users
Ive been able to do this on publicly accessible
computers...such as university labs...You can see
the buddy list of other people who have signed on to
AIM on that computer. On win2k in the folder named
winnt/AIM95/"screenname" there is a file called
userinfo.bag which stores all the names on your
buddy list...all you have to do is traverse to a different
screenname directory and open up the file with any
editor. In win XP the folder is in
winnt/system32/aim95. This pretty much works on
any OS although I havent tried linux and Mac yet.
Although this may not be a serious threat, its pretty
much a violation of privacy...and that is a right we all
have correct?? corrrect..Its pretty easy for anyone
being nosy to start harrasing people on your buddy
list. I hope this isnt a repost. Contacting AOL also
pretty much all that needs to be done is check out the
aim95 folder for a file called userinfo.bag
