Mail:  Username:  Password:   Help | Sign Up
Search: 

Mail Loophole
by Tau

This story beings a few months ago while Craig was innocently using his Palm Vx. He was on Palm Vx using AOL Mail VII, a program that allows users access the AOL mail site with a special interface which was designed for Palm Pilot VII. He was using OmniSky, an ISP that has a special bookmark at the bottom of every page that allows the user to see the URL. This option to see the URL was probably not anticipated by AOL because on a normal system the user cannot see the URL. However, with OmniSky's bookmark feature the user can. Craig noticed the URL to AOL Mail:

http://palmvii.mail.aol.com/main.dci?readonly=1&SID=craig|aol.com|255.255.255.255:5005|2760850796280876|0|

It occurred to Craig that if he changed his screen name to another that he might be able to send mail from any screen name that he desired. His idea worked marvelously. By editing the screen name in the URL he had the ability to send mail from any screen name.

However, this only work on sending mail though. If an attempt was made to read the mail the page said that the screen name had been logged out of AOL mail for greater than 30 minutes and that it should relogin if it wanted to check new mail.

Craig kept quiet about his discovery for a few months then decided to tell someone. He told Viowatch that he could send mail from any screen name by editing the URL of the Palm write mail form and that it was done on a Palm. He did not tell Viowatch what the URL was though. Viowatch told Hpyah and the latter told BMB and another who chooses to remain anonymous.

This person wanted to experiment and to see if this trick could be done on a Windows system. To find out the URL that Craig used, he downloaded a Palm emulator and utilized a Palm memory editor to find the URL out for himself. He tested it on Windows and discovered that he could do the same thing Craig did, using the same method, on any platform. His discovery spread throught the group of people who first knew about it. Now along with Craig, this last person, Viowatch, Hypah, and BMB could also send mail from any screen name.

It was determined that mail could be sent from screen names with "Official AOL Mail" capability but the mail would only show up as a regular mail, not with the blue border that Official Mail has. This group of people had their fun and as you might expect, it soon died.

Soon after it died BMB began to scan AOL IP addresses in hope of finding another AOL Mail address that could be exploited the same way. He found that the same loophole that was at http://palmvii.mail.aol.com existed at http://palmvii.aolmail.aol.com. The loophole was active again. This one lasted three more weeks which brings us to March 15, the date it was permanently terminated by AOL.

AOL patched both loopholes by encoding the URLs. Instead of showing up as it did above, it now showed up only as code:

http://palmvii.mail.aol.com/main.dci?writeonly=1&SID=d567546cc20cc16e199c03185acfd29119131d56933c4ba1d
ce5eddb617c4f68b9e5feb07599a385898166918f543543537ea40851ec36fd81b6054a1a7015767049aa1686b8

The loophole doesn't work anymore, but if you would like to check or write mail from the Palm interface (sans the graphics) you can login to AOL Mail by replacing SCREENNAME and PASSWORD below with your screen name and password, respectively.

http://palmvii.mail.aol.com/main.dci?u=SCREENAME&p=PASSWORD&w=0&v=1.0.13


Articles
| Documents | Tools | FDO | Atoms | Tokens | Security Breaches

© 2000 BMB and Tau Productions. Contacts: BMB | Tau | Rob