From the article:

Such exploits have been confirmed by others, who point to evidence of possible
damage caused by AIM password theft. Habeeb Dihu, a senior principal at
e-business consulting firm DiamondCluster International (Chicago, Ill.), says his
AIM user ID -- "MacGyver" -- was hijacked. The result jeopardized a major
business negotiation, he says.

I was working on the Covisint deal," Dihu said, referring to the B2B exchange
recently developed by General Motors, Chrysler, Ford, Oracle, and Commerce
One. "Somewhere in the middle of the deal, my AIM screen ID got hacked.
Someone masqueraded as me and started to talk to my co-workers." (Hackers
say that so-called vanity names -- such as "MacGyver" -- are often the first choice
for an attack.)

Would you conduct a major business negotiation from an account like MacGyver@Aol.Com?
posted by rcade at 9:01 AM on February 23, 2001

This isn't really isolated to AIM either. Other IM's such as MSNM, ICQ, and YahooIM have had their share of "brute force" hacks. However, there are ways to report them to get back ownership....which from my experience is a total waste of time. I reported that my ICQ# 305422 was stolen about 15 times so far, still getting back the boiler-plate response. It's been over 6 months now...the good news is that ICQ has a bunch of neat downloadable "utilities" *grin*
posted by samsara at 9:07 AM on February 23, 2001

Oh god no! Someone can steal my insignificant AIM password, and talk to all of my friends! Egads! Whatever shall I do?
posted by dakotasmith at 10:04 AM on February 23, 2001

Yeah, the threat of password theft or somebody listening in on my conversations doesn't worry me too much at all, but the client-software hacks could mean real trouble. Fortunately, I've found AIM Express, a Java version of the software that isn't downloaded, to be pretty stable. Not only that, it seems to be the only IM program that can be run from the workstations on campus without an administrator login.
posted by Eamon at 10:29 AM on February 23, 2001

I haven't read the entire article linked to above, but the MacGyver thing is over a year old.
posted by gluechunk at 11:25 AM on February 23, 2001

Fortunately, I've found AIM Express, a Java version of the software that isn't downloaded, to be pretty stable.

Just to pick nits, it *is* downloaded. When you run a Java applet "inside a web page", the browser is implicitly downloading the program, saving it on the machine's drive somewhere, and executing it from there.

It seems to me that the word "download" is losing its meaning and acquiring a new, slightly related one implying an intent to create a permanent copy on local storage; technically, however, you download a web page every time you view it (ignoring caches).

In any case: I'm amazed people aren't embarassed to be conducting business from an AOL account.

-Mars
posted by Mars Saxman at 12:00 PM on February 23, 2001

Mars, I agree with your mortification at the professional use of an AOL account, but I've found this practice to be fairly common among mac-using artist types.

Apparently they're so cool offline that they have no idea how uncool they are online. Cruel irony.
posted by anildash at 12:55 PM on February 23, 2001

Was he conducting business that way, or just talking to his coworkers during the negotiations? It's not clear.

The worrisome part that caught my eye was that the exploit can be generated even if the client isn't running by forcing an aim:// request. But I guess that's implied.

What IM needs is something akin to SMTP headers. Sure, you can forge the From: line, but you (mostly) can't forge the IP that talked to your server. The technology of IM puts everyone in the position of being an AOLer who only sees the screen name.

All it is is P2P mail. Don't they see that?
posted by dhartung at 1:12 PM on February 23, 2001

I must have misunderstood the article. Does it say that password theft is a security hole? Of course it's a security hole, but it's a security hole to everything in the world that uses passwords... You're not supposed to give it out. Bah. If someone knows your password, of course they can steal your AIM account, just like your Amazon account, eBay account, etc..

I agree that I have never even pictured AIM being used for business... It seems just too strange.
posted by swank6 at 6:15 PM on February 23, 2001

IM programs have been trying for quite some time to be adopted as safe and practical business tools. It seems they still have to work at it some more.
posted by thirdball at 12:18 PM on February 24, 2001