Hacking AOL

I had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like:

http://autos.aol.com/
http://finance.aol.com/

To more serious domains like:

http://webmail.aol.com/ (need to be logged in)
https://account.login.aol.com/

To the really bad:

https://my.screenname.aol.com/

Access to all of AOL’s web services requires only 2 cookies, SNS_AA from aol.com, and SNS_SKWAT from screenname.aol.com. The only positive thing I ran into is the fact they require you to answer a security question to access account management functions.

Oh! I almost forgot, they also made a feeble attempt at blocking a select number of javascript functions and attributes. For example, this is blocked:

alert(document.cookie)

But this isn’t:

x=document;alert(x.cookie);

4 thoughts on “Hacking AOL”

  1. soo how do u get into the aol account w/o answering the security question and no password? i did it before and now i cant remember how…

  2. Hey.. I need help.

    I think my dad is cheating on my mom and I’m Pretty sure there’s proof on his AOL screen name. It’s on my computer.. so maybe there are those cookies you were talking about..
    I’m in NO WAY a hacker.. so I thought.. maybe if you could help me break into my dad’s AOL messages.. That would be amazing.

    Thanks so much.. and if you can’t.. well.. I guess I’ll have to look around for more ways..

    Thanks again,
    Kass

  3. i need somebodies help, i need to find out my childs fathers password for aol not to change anything i dont want that i just want to know the truth about things, he threatens me with court to take my child from me and he is a horrible person
    i just need to know what hes lied about
    if anybody can help me send me an email at slipknotchik447@aol.com

Leave a Reply

Your email address will not be published. Required fields are marked *