AOL Instant Messenger silently sniffing, retrieving URLs sent in chats

admin — Sun, 09 Oct 2011 00:27:03 +0000

AOL’s venerable instant messaging network, AOL Instant Messenger (AIM), silently intercepts URLs in private chats and retrieves the content at the sent address without user consent. AOL appears to be retrieving any and all URLs sent during chats indiscriminately, at the network level. Presumably AOL is indexing the users included in the chat, the URL, and the contents of the URL, but it is not clear (at all) what they are doing with this data.

USERS OF AOL INSTANT MESSENGER ARE WARNED THAT URLS SENT IN PRIVATE INSTANT MESSAGES ARE BEING INTERCEPTED AND RETRIEVED BY AOL AT THIS TIME.

Unfortunately virtually no information on what AOL is doing is available at this time. However, the evidence is clear to anyone with access to their own web server. This was discovered by a security analyst affiliated with StealYour.Info:

While chatting with a buddy, I sent them a link to a private file. I had accessed the file to ensure it was there, and then sent it to my buddy. Before he was able to even click the link, the server was hit twice by two different user agents (below). Seconds later, my buddy clicked the link and retrieved the file. Puzzled, I searched for the reason – suspecting some kind of spyware on my buddy’s computer. But in fact, it was the AIM client itself according to our testing. Using completely fake URLs, it was clear that AOL Instant Messenger was in fact passing on the URL I sent for some kind of retrieval and analysis by AOL.

64.12.71.15 – - [08/Oct/2011:20:02:55 -0400] “GET /pwned.fake HTTP/1.1″ 404 292 “-” “Java/1.6.0_22″
64.12.71.15 – - [08/Oct/2011:20:02:55 -0400] “GET /pwned.fake HTTP/1.1″ 404 292 “-” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13″
149.174.17.177 – - [08/Oct/2011:19:52:56 -0400] “GET /pwned.fake HTTP/1.1″ 200 357 “-” “Java/1.6.0_22″
149.174.17.177 – - [08/Oct/2011:19:52:57 -0400] “GET /pwned.fake HTTP/1.1″ 200 357 “-” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13″

We are seeking any available information on this practice and correlating data from other webmasters. If you are able to observe this behavior with the latest AIM client, please confirm our findings in the comments section below and share additional IP addresses AOL may be using for this purpose.

Note that third party instant messaging software (e.g. Pidgin) is affected by this despite the initial description of the discovery, as the monitoring appears to be taking place at the network level.

Google Suggest gets it right for once…

admin — Thu, 08 Oct 2009 14:17:26 +0000

Google suggest: Norton is

Norton is a virus? Not exactly, but they’re on to something. Viruses generally are installed without the user’s consent (e.g. on a new PC), degrade system performance (check), interfere with legitimate programs (e.g. blocking Firefox by default or by accident), take proactive steps to prevent removal (ever try uninstalling it?) and generally disrupt the end user experience. We know that Norton Internet Security isn’t really a virus, but it certainly approaches the status of extortion-ware, considering how persistent it is about reminding users that they are unprotected unless they pay their tribute to the gods of Norton.

How insecure is Norton Internet Security? More to follow…

ican.stealyour.info » Malware

AOL Instant Messenger silently sniffing, retrieving URLs sent in chats

Google Suggest gets it right for once…