Teenage hackers who figured out last late last year how to steal the online identities of AOL Instant Messaging users e-mailed at least three technology reporters on Sunday to demonstrate that vulnerability. Salon.com, CNET and MSNBC all witnessed demonstrations in which the hackers changed the passwords to AIM accounts.
Wired News ran an unsigned piece claiming that Salon had been first on the air with the story, and quoted Salon correspondent David Cassel. ( Wired News probably didn't get around to reading the hackers' e-mail quickly enough.) MSNBC ran the only piece that quoted from the Sunday e-mail message itself, and the only one that printed the nom-de-Net of one of the hackers. MSNBC went easy on the mechanics of the hack, omitting the fact that most AIM users who have separate AOL accounts cannot be hacked in this fashion. MSNBC's quote from the hackers' letter -- that they use the pilfered names "just for the pure joy of trying to ruin friendships" -- evokes the more sensational journalistic treatment of hackers. (ZDNet also carried MSNBC's story.) CNET's Courtney Macavinta gave more of the nitty-gritty of how the hack works, but whether through reticence or misdirection from her source, she got one detail wrong. Macavinta wrote that an "AOL staff tool [the hackers] unearthed while poking around the company's proprietary online service" plays a pivotal role in the process of taking over an AIM user's online identity.
Salon's David Cassel, editor of the AOL Watch newsletter, laid out the hack more fully. No stolen AOL administrative tool is involved, he said -- just the knowledge of what one needs to type in order to get to a different screen at a certain point in AOL's registration process. Cassel went further, revealing a second way to steal an AIM identity that does not rely on arcane knowledge at all. Wired News quoted Cassel's damnation of AOL's technique: "AOL left a gaping hole in the way they implemented it. To promote such an easily cracked software really violates any reasonable expectation of security."
Cassel has left AOL no choice but to fix the hole.