Mail:  Username:  Password:   Help | Sign Up
Search: 
Restricted Screen Name Exploit
by Tau

This article is will explain exactly how restricted screen names were exploited. It is still unclear who originally found it but the majority say Dolan did on September 10th but some say he was not the one who discovered it, only the first to go in private chat rooms on these names. Either way, Dolan is still receiving the most attention for this.

Numbered screen names, two and one character screen names, staff prefixes, curse words, and screen names with periods (such as the screen name "Observers.net") were all created using this exploit. "HOST Guide" screen names also had the ability to gag screen names, that is, block them from sending text to a chat room for a certain amount of time. Some of the better screen names included "0", "1", "69", "Observers.net", "OnIineHost" (The L is an I), as well as "TOSGeneral OE", "AOL Admin", and many other staff like names.

How it was Done

These screen names were created off of free.aol.com, or more specifically https://free.aol.com/tryaolfree/wr15_1/mem_info.adp?promo=153830&session_id=56901248.

  1. The first page in the registration asks for your name, address, city, etc which will later be used in the credit card validation.
  2. After entering all of the correct information and proceding to the next page it will ask you for a screen name. Any screen name will do, as long as it is not taken. You could put something like "Blah1234321" or something. Put a simple password in, and procede to the next page.
  3. Accept the Terms of Service and go to the next page. This page is where exploit was found.
  4. This page will ask for a credit card number. But before doing this we need to edit the screen name. To do this:
    1. Right click the page and click "View Source". This will bring up Notepad of whatever other Text Editor you have to open text files.
    2. Scroll down to the bottom of the HTML to where it says

      <INPUT TYPE=hidden NAME=screen_name VALUE="Blah1234321">

      Now change it to the screen name you want. The logic behind this is that when you reopen this page AOL will already think that the screen name has been checked and it will not check it again.
    3. Now you need to fix all the URLs on the page. If the text edit you are using supports a Replace feature you can use that, if not then you need to do this manually. Where a URL begins with static/ it needs to be replaced with http://free.aol.com/static/ and wherever it says tryaolfree/ it needs to be replaced with http://free.aol.com/tryaolfree/
    4. Save the text document as an HTML document, "whatever.html" or something easy to remember.
    5. Go back in AOL or Internet Explorer and click File | Open. Navigate to that HTML document and open it.
  5. Now enter the correct information in the fields and procede on.
Thats it. If all went succesful you could have had a restricted screen name. You could have but AOL patched, or fixed, this exploit on September 15th, about 5 days after it had been discovered. Most of the screen names that were created have been killed or will be killed. But not to fear, the smart ones made AIM names out of them and can still use them.


Articles | Documents | Tools | FDO | Atoms | Tokens | Security Breaches

© 2000 BMB and Tau Productions. Contacts: BMB | Tau | Rob