Restricted Suffix Screen Names
Discovered By:
Evergrace
Date:
December 10, 2000
Patched:
December 15, 2000 re-opened using an invoke the same day and then patched
finally on December 18, 2000
AOL added a new feature to the kw: Names sub-account creation proccess.
If a screen name you wanted was unavailable a form would come up asking
you to enter three words and then AOL would automatically make an SN for
you based on these three words.
The n* token which ran this process did not have a restricted sn check
after the 10th character. Which meant any restricted characters after the
10th would be allowed. Screen names created using this exploit included
"YouMotherFucker", "IownSteveCase", "hahIhaveaGuide", etc
AOL tried to change the sub-account proccess back to the original one in
order to kill this exploit. However, the f1 invoke 41-53188 to the form
was still alive and could be used to continue to make restricted suffix
screen names. This was finally fixed by killing the form and modifying
the token which allowed this in the first place.
Contributed By:
O0O and rogers
|
