Skip navigation

AOL Instant Messenger Leaves Users Vulnerable to Remote Attack

Reported December 12, 2000 by @Stake

  • AOL Instant Messenger 4.3.2229 and earlier


A vulnerability has been identified in AOL Instant Messenger that lets a malicious attacker take over a remote machine. It is important to note that AOL Instant Messenger does not need to be enabled, only installed. An attacker can also exploit the vulnerability through  a malicious email or malicious Web sites, launching arbitrary commands.

When users install Instant Messenger, the software registers the URL protocol "aim:" as a hook into its executable.  This registration lets users publish their AOL screen name on a Web page, and viewers can then add each user's AOL screen name quickly and easily to a contact list, send an instant message, or perform other functions built into AOL Instant Messenger.


Multiple vulnerabilities have been identified, letting malicious users easily attack and take over target computers. One such overflow can be demonstrated by typing the following (provided by @Stake):

aim:goim?=<insert 300+ string of AAAA here>+-restart

Another vulnerability can be demonstrated by typing the following (provided by @Stake):

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localhost/AAA (x 3000 characters)


The vendor has been contacted and has released an upgraded version 4.3.2229 dated 12/6/2000.

Discovered by

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.