Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft

Hotmail Hacked 494

Posted by CmdrTaco
from the it-happened-again dept.
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
This discussion has been archived. No new comments can be posted.

Hotmail Hacked

Comments Filter:
  • No no no (Score:2, Interesting)

    by sllort (442574) on Monday August 20, 2001 @05:37PM (#2199835) Homepage Journal
    "In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

    Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"

    Sigh. Experts indeed!
  • by Visionized (465361) on Monday August 20, 2001 @05:42PM (#2199865) Homepage
    Ya know, it you could some how get that posted out somewhere that has greater volumes of general everyday traffic, maybe the rest of the public would start to get the hint at how bad MS is with security issues.

    What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology. This would definitely blow holes in MSs idea of being the "gatekeeper".

    Our better yet, it might just close the gate!! :)

    Cal

  • universal variables (Score:2, Interesting)

    by Traicovn (226034) on Monday August 20, 2001 @05:46PM (#2199888) Homepage
    The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have

    Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.

    Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.

    In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?

    I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.
  • by Anonymous Coward on Monday August 20, 2001 @06:03PM (#2200010)
    how is simple information illegal? i can go to the library and purchase a book on how to do something illegal, does that mean they shouldnt be allowed to have those type of books? no... and if i checkout a book on how to blow up a building and end up doing it, the library isnt responsible for my action, is it? no...
  • by startled (144833) on Monday August 20, 2001 @06:34PM (#2200131)
    "(pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)"

    This suit [findlaw.com] is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
  • Is it still open? (Score:5, Interesting)

    by update() (217397) on Monday August 20, 2001 @06:54PM (#2200184) Homepage
    I'm not one of those people who starts gloating every time a Windows vulnerability appears, claiming it proves how awful Microsoft development is and how clearly inferior their products are to free alternatives. (How many holes in wu-ftpd do you need before that rings empty?)

    But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.

    There was a great Salon article [salon.com] by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:

    Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."

    Fat chance.

    I wonder if this time will be different...

  • by blair1q (305137) on Monday August 20, 2001 @08:22PM (#2200472) Journal
    That's okay.

    Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.

    Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.

    When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.

    --Blair

    P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.
  • by the gnat (153162) on Monday August 20, 2001 @09:43PM (#2200683)
    Perhaps your middle school doesn't have email accounts and you have to use Hotmail, but the mere fact that you have a Hotmail account- which, apparently, you use at least for unimportant stuff- means Microsoft has one more user to brag about to advertisers. Obviously it isn't such a big piece of shit, or you'd use Yahoo! or some other free webmail service.

    If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.

    Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.
  • by ROBOKATZ (211768) on Monday August 20, 2001 @10:34PM (#2200819)
    How would SSL help?

You might have mail.

Working...