Student finds AOL bug
By Janet Kornblum
Staff Writer, CNET NEWS.COM
February 24, 1998, 4:35 a.m. PT
A 14-year-old high school student from
Tampa, Florida has discovered a bug in
America Online's (AOL) Instant Messenger
(IM) system that could be used to
surreptitiously send malicious computer
code to Internet users of the IM system.
AOL confirmed that there was a problem and
is working on a solution, AOL spokeswoman
Wendy Goldberg said.
Although it is unclear if anyone has actually
ever used the program to cause harm, like
most bugs, the problem is that they could if
they wanted to do so, said Stephen
Hemingway, the high school freshman who
discovered the bug.
"I don't think anyone's used it yet but
somebody could stumble across it very
easily," he said.
Hemingway said he was studying the IM
program when he came across some
interesting code: It looked strikingly similar
to an Internet Explorer buffer overflow bug
that he had read about earlier.
That's when he realized that sophisticated
users on AOL could use the IM client to send
bugs or other code, including very small
viruses, to unsuspecting Netizens.
So Hemingway used the program to send
himself some code that would jam his
computer. It worked.
Bill Mattocks, proprietor of Computer
Solutions a small ISP in Kenosha, Wisconsin,
also tested out the bug for NEWS.COM..
Mattocks inserted random code into the
program where Hemingway had indicated it
could be done and sent it to his IM account
on the Internet from his AOL account.
The program, he said, "immediately
generated an internal error and crashed.
Windows 95 itself became unstable minutes
later and the entire machine crashed, as
well."
Hemingway also said he was able to make his
computer crash. Theoretically, the program
could be used to send a small virus--less
than 1,000 bytes large, Hemingway said.
"I actually tried to infect myself with a virus to
see if it was possible but I was unable to find
a virus small enough," he said. "I didn't
particularly like the idea of giving myself a
virus anyway."
While it is well known that malicious users on
AOL, some of whom refer to themselves as
hackers and many of whom are teenagers,
like to try to jam up other users also using
the system, their exploits have largely been
confined to the AOL proprietary system.
And while AOL, which has 11 million
members, is often the center of criticism,
public reports of software bugs, fairly
commonplace for other software developers,
are actually fairly unusual for the online
giant. Most of AOL's software, however, is
aimed at its own users on its proprietary
system.