Slashdot Log In
Hotmail Hacked
Posted by
CmdrTaco
on Mon Aug 20, 2001 05:29 PM
from the it-happened-again dept.
from the it-happened-again dept.
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
This discussion has been archived.
No new comments can be posted.
Hotmail Hacked
|
Log In/Create an Account
| Top
| 494 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
You've got mail! (Score:5, Funny)
Hotmail: You've got someone else's mail!
Again? (Score:3, Funny)
Score: -1, Redundant
So we might as well shut down Bugtraq... (Score:5, Insightful)
Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.
Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.
Re:Informative - More like criminal action actuall (Score:4, Interesting)
This suit [findlaw.com] is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
Here's another way (Score:5, Funny)
1. Log into hotmail normally.
2. Type in this link:
http://pv2fd.pav2.hotmail.msn.com/default.ida?XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
8 %u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
1b%u53ff%u0078%u0000%u00=a HTTP/1.0
Re:here's the instructions how to do it (Score:5, Informative)
My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.
Research by wAwAsAn4
wAwAsAn4@root-core.com
Web: www.root-core.com [root-core.com]
Email: [Digital-Vortex]@securityfocus.com [mailto]
Voila.
Average person? (Score:5, Funny)
"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.
It's not quite so bad (Score:4, Informative)
Re:It's not quite so bad (Score:4, Insightful)
This isn't the "major" security hole that the slashdot submission suggested.
It would take a minor miracle to guess a message number correctly.
And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick. If someone really wanted to read my email there, they could keep trying - but their hotmail username (at very least) would be recorded.
I don't mean to pooh-pooh this issue; but I think editorializing this into a *major* security problem (a la Code Red) is a little disingenuous, and misguided.
Re:It's not quite so bad (Score:5, Insightful)
Actually... not... there is only 86400 seconds in a day and you need to worry about aprox first 100 messege numbers which makes it under ten million hits required to read your whole day correspondence. And the effectivity can be increased with clever algorithm so I will have most of them after first million.
In other words, a nice perl script that will take me about 1-2 hours to write will every day fetch all your mail without even making my computer sweat. :)
What kind of miracle is that? And shall I be proclaimed saint for performing such miracles?
The details of the hole... (Score:5, Funny)
Guess they haven't gotten rid of Code Red yet!
(For the humor impaired: no, I did not actually do the telnet session.)
Oh no (Score:4, Insightful)
Why is MS reaping the benifits of OSS security? (Score:4, Insightful)
Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.
Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.
Big Surprise - More info... (Score:4, Informative)
This was already posted to BugTraq [securityfocus.com] not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:
http://www.securityfocus.com/archive/1/205785 [securityfocus.com]
Microsoft's response... (Score:5, Funny)
"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."
Like Taco said...you just can't make this stuff up. That response is just too funny.
Re:Microsoft's response... (Score:4, Funny)
Re:'Found it' ? (Score:5, Insightful)
Rudimentary Treatise on the Construction of Locks
A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.
Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.
...The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of publicity. In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will posess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.
"Limited Scope" (Score:3, Insightful)
Oh crap! (Score:3, Funny)
Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.
Hopefully they'll be good sports and also get me a lower interest rate on my home.
Very secret information.... (Score:5, Funny)
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
Let me get this straight... (Score:3, Insightful)
This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.
If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.
Is it still open? (Score:5, Interesting)
But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.
There was a great Salon article [salon.com] by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:
Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."
Fat chance.
I wonder if this time will be different...
Ugly VB Code... yeechhh (Score:5, Informative)
a) it's in VB
b) you'll see methods like this:
Public Sub ii(MSG As String)
l_info.Caption = ">" & MSG
End Sub
are there no coding standards even among hacks?
"hacker" vs. "cracker": something to consider. (Score:5, Funny)
CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!
STAN: Holy crap!
CARTMAN: You guys are so lame.
- A.P.
Now you can be a hacker too (Score:3, Funny)
Step-by-step hacking tutorial (Score:4, Offtopic)
For script kiddies who don't want to be bothered with the detailes, there's even a Windows program [can-host.com] that automates the process.