Portal:AOL-Files/Articles/CL Pin Exploit
(Originally by AOL-Files staff member Tau)
A recent exploit allowed CL pin numbers to be cracked via an AOL web site. Once the pin number was cracked the people involved could call AOL and have the password reset. Also, after entering the correct pin number the billing information on the accounts could be changed.
Chris, the person who figured out how to do this, was at the Community Leaders Headquarters (CLHQ) and found a link to the CL Registration Update page. This could be accessed by going to keyword: CLHQ > Requests > CL Registration Update. The web page that he was brought to was http://www.people.web.aol.com/cls/update.
On this page it asked for the CL's screen name and pin number. After entering a screen name and a pin number it would give you a message of "Your screen name and PIN Number do not match," or "Your screen name is not listed as a registered Community Leader screen name," or it would proceed to the update registration page. Pin numbers are four digits long and consist of numbers. Now it was only a matter of going through every pin number (0000 - 9999) until it brought you to the next page.
Chris aka Sickness had his friend Trez make a program to do it automatically. With this program they cracked CL's pin numbers. Then they could either changed the billing information then call and have the password reset or just call with the pin number and have the password reset.
After AOL realized that this was happening they changed the password reset requirements. People who called now had to not only supply the pin number but the credit card information as well. AOL also closed the web site. A few days later the CLHQ's page said, "The CL Update area in Keyword: CLHQ (CLHQ > Requests > CL Registration Update) is temporarily unavailable. Please continue to update your personal information via Keyword: Billing. We'll let you know when the CL Update area in CLHQ is back online." With this the exploit died.
The CL pin check login has been recreated below. This will give you a good idea of how the exploit was done.
<form method=post action="http://18.104.22.168/cgi-bin/nda.cgi" enctype="application/x-www-form-urlencoded"> <table> <tr> <td><b>Master Name:</b><br><input type=text name=sn size=16 maxlength=16></td> <td><b>Pin #:</b><br><input type=text name=pn size=16 maxlength=4></td> </tr> <tr> <td align="right"><input type=submit value=submit></td> <td align="left"><input type=reset value=clear></td> </tr> </table> </form>