Online Password Reset Form
Discovered By:
O0O
Date:
January 1999
Patched:
3rd Week of January 1999
In the fall of 1998, AOL introduced an Online Password reset form for all
normal AOL accounts. The form was meant to lesson the burden on call
centers from people requesting password resets for lost passwords.
If you entered an incorrect password twice AOL would give you the
opportunity to verify billing information; First, Last Name, Address,
Phone number and last 4 digits of Credit Card #. If the information was
ok you could then reset the account password. This was a huge security
hole for AOL since it made it very easy for people to steal accounts.
Getting billing information was a fairly simple task either by scamming
the account owner or having an internal contact CRIS the account. So,
this online reset form made it fairly simple for hax0rs to get the account
without having to call up AOL.
However, the reason the Online reset form was taken down was because of
what occurred with Alan getting into CRIS. When Alan got into CRIS, O0O
gave him the idea of deconverting OH, CL and any other account type into
normal accounts; this would activate the online password reset form.
So, Alan would deconvert the account to a Normal and then give the billing
information to O0O. By doing this EVERY AOL account which wasn't Internal
became available for the taking. Even SID accounts were vulnerable
because an SID on a normal account would make it easy to call up AOL
member services and get the SID unbound.
The Online password reset form was taken down permanently after a string
of Overhead/CL accounts were stolen within a three day period.
Contributed By:
O0O
|
