Hotmail Cracked Badly

Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)

Re:more info?

Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:

http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=ENTERLOGINHERE&passw d=eh

replace ENTERLOGINHERE with the account you are cracking.

This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.

Before anybody starts crowing ...

1) We're not told in this story where *exactly* the security hole is (in which part of the system)

2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"

So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.

Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.

Re:Blammo!

Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.

----

DING

Here's my mirror of the exploit [slashnet.org]

Sorry, Billy. Really.

Re:Found the link...too late

There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.

Security and platforms

I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.

It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.

Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?

Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.

One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?

We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.

The address

Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.

Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?

Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Re:The address

Oh well...

http://www.2038.com/hotmail/
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Nature of the exploit

I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).

Remember, Hotmail uses both Solaris and NT in various capacities.

HOW IT WORKS.

Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login= username &passwd=eh

In other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.

--Joe
--

Re:Nature of the exploit

From what I've seen basically Hotmail trusts a certain URL to be accurate w/o doing any verification of the password. This isn't an NT issue or a Solaris issue or any other OS related security hole. It's just bad programming on the part of whoever wrote the offending code. Whether it was MS who messed up or the people who originally wrote hotmail I wish I knew.

Secure Web mail

I find it amusing that it would come to this. Hotmail keeps saying in TV ads that they're "perfectly secure and private" because they prompt you for a PASSWORD when you try to access your mailbox. Whatever means was used to crack Hotmail, I think it's a good thing. It will make people realise a system is not secure because the company hosting it says so.

This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)

On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail [hushmail.com] for Email with a real security. At least their encryption isn't just XOR-based. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."