Hotmail Hacked

SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.

and this is news?

[Anonymous Coward]

c'mon this isn't news this is just a reality of MS and the everyday world.

Ohh and don't blame the OS blame the programmers

Oh no

[interstellar_donkey]

Now anyone can get in and read all the porn ads I get in my hotmail inbox.

Why is MS reaping the benifits of OSS security?

[Bonker]

A monopoly is a scary thing.

Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.

Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.

Grimace, McDonalds character, dead at 13

[Anonymous Coward]

I just heard sad news on talk radio -McDonalds commercial star/character Grimace was found dead in his McDonalds house this morning. I'm sure we'll all miss him - even if you didn't eat his food you've probably enjoyed one of his pornographic movies. Truly a purple American homosexual.

Related Link [mcdonalds.com]

Re:It's not quite so bad

[MaxwellStreet]

Exactly.

This isn't the "major" security hole that the slashdot submission suggested.

It would take a minor miracle to guess a message number correctly.

And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick. If someone really wanted to read my email there, they could keep trying - but their hotmail username (at very least) would be recorded.

I don't mean to pooh-pooh this issue; but I think editorializing this into a *major* security problem (a la Code Red) is a little disingenuous, and misguided.

"Limited Scope"

[CMiYC]

Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."

Bad, but getting better.

[Godeke]

I will probably take a huge beating for saying this, but here it is. Although Microsoft has a long way to go in dealing with security issues, they are lightyears ahead of where they were only a few months ago. New tools to scan all the servers in the domain for patch levels of various vulnerabilities, fairly quick response time to notifications of vulnerabilities and no more "that's only a theoretical vulnerability" attitude.

I am subscribed to their security notifications and there is an honest effort on their part to fix the problems. More shocking is the recognition they are giving to groups that expose these vulnerabilities - a 180 turn around how they used to desparage those who uncovered such problems.

Re:'Found it' ?

[DNS-and-BIND]

If you don't tell anyone, the flaw is still there. Only, if you don't tell anyone about the flaw, only the bad guys know about it. The piece below written in 1853 by Charles Tomlinson, and is only an excerpt of the the treatise, but it shows that people recognized that 'security' through thwarting the exchange of knowledge of flaws was not really security at all, waaaay before the digital age.

Rudimentary Treatise on the Construction of Locks

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.

Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

...The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of publicity. In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will posess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.

Re:Informative - More like criminal action actuall

[Anonymous Coward]

since when did libraries start selling books instead of lending them (aside from the occasional used book sale)? Oh, that's right. Public libraries, the napsters of the 18th century, had been "sharing" copyrighted material, until the Pay-per-view Copyright Act outlawed all forms of "sharing" of copyrighted material.

Re:Informative - More like criminal action actuall

[yomahz]

how is simple information illegal

I dunno.. but it is. I keep asking myself the same question. [freesklyarov.org]

So we might as well shut down Bugtraq...

[ActMatrix]

This exploit information came straight from Root-Core's site and was also posted to Bugtraq. If pasting it here is potentially 'illegal' than so are 90% of Bugtraq posts.

Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.

Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.

Re:It's not quite so bad

[aralin]

It would take a minor miracle to guess a message number correctly.

Actually... not... there is only 86400 seconds in a day and you need to worry about aprox first 100 messege numbers which makes it under ten million hits required to read your whole day correspondence. And the effectivity can be increased with clever algorithm so I will have most of them after first million.

In other words, a nice perl script that will take me about 1-2 hours to write will every day fetch all your mail without even making my computer sweat. :)

What kind of miracle is that? And shall I be proclaimed saint for performing such miracles?

Let me get this straight...

[mgkimsal2]

I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.

This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.

If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.

How my friend had his hotmail acct hacked...

[garagekubrick]

His girlfriend knows all his information, like zip code and location, so she clicks on forgot my password. Having passed that, his security question was: "What's my sister's name?" That wasn't too hard.

Needless to say, once she got in and had a look at his e lover's correspondence, the four year relationship ended quickly.

Motion for Summary Judgment

[CoachS]

Actually, the owners of Slashdot.org don't do the moderating -- the users do. Furthermore the actual users doing the moderating rotates fairly constantly; could be me tomorrow, could be you the day after that.

A smart lawyer, of which I could be one, would quickly dispatch the "promoting a felony" argument by pointing out that none of the promoting was done by the hypothetical defendants in this matter. Any promoting or highlighting of the "offensive" subject matter, like the posting itself as a matter of fact, was done by pseudo-anonymous members of the community at large.

It could be argued, I suppose, that Slashdot.org has created a forum that fosters or even encourages(?) such offenses, but that argument has fallen flat in a number of cases already decided.

Precedent being what it is I don't think Taco and friends should be speed-dialing Johnnie Cochran just yet.

-Coach-

Speaking of pretty disclaimers...I am not your lawyer and this is not legal advice, merely my educated opinion. If you wish legal advice seek out an attorney licensed to practice the kind of law you need in your area and pay them for it.

Re:Why is MS reaping the benifits of OSS security?

[BradleyUffner]

Umm.. you DO know that there was a patch that would have prevented Code red released by MS aver a month before eEye released it's findings?

Re:Informative - More like criminal action actuall

[legoboy]

Any smart lawyer would know a lot better than to provide unsolicited opinions on legal matters in a public forum. (Yes, it is possible to trace Anonymous Cowards through their IPs, etc). Now go back to your cave, troll.

In what twisted universe is "This is almost certainly illegal, idiots." (to paraphrase) construed as legal advice?