[OTR-users] AIM and shadow accounts
Ian Goldberg
ian at cypherpunks.ca
Sun Oct 25 19:08:55 EDT 2009
On Wed, Oct 21, 2009 at 05:34:18PM -0400, Gregory Maxwell wrote:
> As most OTR users on AIM know: If you log in from multiple places and
> talk to another OTR user you'll end up in an "OTR war" with the remote
> client that you can't hear.
>
> AOL tells you (sometimes?) about the second user on your account if
> its coming from another IP, but doesn't tell you if the clients share
> IP.
>
> The war stops if you log the remote client out, which can be done
> remotely by sending "1" to aolsystemmsg.
>
> I have recently observed OTR wars happening with my client when no
> other client I control could possibly be logged in, yet sending "1" to
> aolsystemmsg stops the war so it must have been my client duplicated
> rather than the remote party.
>
> I first observed this some months ago but I wasn't entirely sure that
> it couldn't have been another regular client of mine logged in but I
> changed my password anyways. Since it is still happening occasionally
> I can only speculate that something is sniffing my password on some
> network I use (since AIM sends it in the clear) or that some
> AIM-internal process is interfering with OTR.
>
> The latter possibility is especially concerning because it would be
> fairly easy to convince people to de-install OTR by occasionally
> subjecting them to this kind of behaviour.
>
> Is this something specific to the networks I use, or are other OTR
> users on aim seeing this?
This is a long-standing issue with OTR when users are logged in multiple
times simultaneously. We've got a fix coded up, but it's still pending
review, which is slated to happen in November.
- Ian
More information about the OTR-users
mailing list