Portal:AOL-Files/Articles/Suspended AIM to AOL

From NINA Wiki
Jump to navigation Jump to search
AOL-Files Aolfileswhite.png  
AOL-Files Articles Downloads FDO91

(Originally by AOL-Files contributor J)

Straying from the usual format of an article, the following will be written in a manner similar to a Q&A forum.

What is this exploit all about?

This exploit allows you to make suspended AOL instant messenger screen names into AOL accounts.

How do I utilize this exploit?

The original derivation of this exploit involves a procedure that is slightly more complicated, but a streamlined process has been created.

  • For AOL 6.0 Users: Set your AOL client version number (via the Star Tool) to 4097.111. Set your country code to J P.
  • For AOL 7.0 Users: Set your AOL client version number (via the Star Tool) to 4114.71. Set your country code to J P.

When signing on, the "classical" screen with three options will appear. Choose the option that turns an AIM into an AOL. Enter the AIM name and password. The exploit is just that simple.

Simple is good, right?

Note: This exploit can also be used to probe an AIM name in an attempt to determine if it can be stolen. The error messages give the status of the tested name.

For those that do not know: The message giving the equivalent of "You have entered a valid AIM name but have specified an Invalid AIM Password" generally indicates that the name can be stolen.

Why does this exploit work?

The client version numbers 4097.111 and 4114.71 are Japanese AOL clients. By using a US client, but setting the country code and version number to Japanese, a full emulation of the service module environment-almost identical, with small differences-is created without the need to have a Japanese version.

One of the attributes of the Japanese Client service is the archaic three-option screen. This screen allows for the old AIM to AOL creation method without violating the rigid order of operations (the order restrictions prevent buffer exploits that used to be possible). The form (and the token(s) it calls) is still active, and varies from the standard method of AIM to AOL creation at the end of registration.

Hint to AOL: fixing the form for only these version numbers will only people exploiting names from those particular clients. Kill the old tokens if you want to stop- provided the move does not cause another part of your service to malfunction.