Hotmail Cracked Badly 441
Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA
number in it, I'd think twice about it ;)
Re:One Word (Score:1)
Why Sign With Us? (Score:1)
When you sign up for Hotmail, you choose your personal ID and password. The only way you can access your account is by using the password you select. This means that only you will have access to your Hotmail account, even if you use a computer at a public terminal or a friend's house. (unless you use our convenient form based access if you "forget" your password... hehe)
Because the messages in your Hotmail account are stored securely at a central location, you don't have to worry about losing important information if something happens to your computer. (until someone breaks in... heheh)
Hotmail is strongly committed to keeping your personal information confidential. For more information on our Privacy Policy, click here. (the info goes straight to billg's desk. he reads it all! he knows who you are... heheh)
Sign Up Now!
excerpt from: http://lc3.law5.hotmail.passport.com/cgi-bin/dasp
Re:Hotmail & SPAM (Score:1)
Instead, when people say that the only thing they get from Hotmail is spam, they probably mean somebody forging mail with headers to look like it is from hotmail. Which is kind of what you said, but unless you read procmail filters it wasn't so obvious.
In your case, the procmail rule won't stop someone who is forging the X-Originating-IP line either, but it is probably good enough for most spammers.
Re:One Word (Score:1)
If the mechanism for a passwording scheme is a switch statement with all the passwords inline (obfuscated somehow, obviously, so one can't just run 'strings' on the binary to extract the words) then it is "security through obscurity" to keep the source hidden.
Not submitting your soucre code for peer review isn't the same thing by any stretch of the imagination. It's just one precaution among many that can be taken to preserve a system's security.
Of course, devotees of the warped notion of "peer review" being bandied about in the Open Source(tm) community won't agree, but Peer review used to refer to a review by one's peers, in the sense of a credentialed body of experts. Not "throw it out onto the street and see what happens to it."
Re:The address (Score:1)
Re:Found the link...too late (This here works) (Score:1)
University of Karlsruhe represent!
Re:more info? (Score:3)
http://207.82.250.251/cgi-bin/start?curmbox=ACT
replace ENTERLOGINHERE with the account you are cracking.
This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.
Before anybody starts crowing ... (Score:4)
1) We're not told in this story where *exactly* the security hole is (in which part of the system)
2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"
So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.
Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.
Proof? (Score:2)
In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport [passport.com] to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).
----
207.82.250.251 (Score:2)
> 207.82.250.251
Name: wya-pop.hotmail.com
Address: 207.82.250.251
> set querytype=any
> wya-pop.hotmail.com
wya-pop.hotmail.com preference = 20, mail exchanger = mail.hotmail.com
wya-pop.hotmail.com internet address = 207.82.250.251
hotmail.com nameserver = ns1.hotmail.com
hotmail.com nameserver = ns3.hotmail.com
hotmail.com nameserver = ns1.jsnet.com
mail.hotmail.com internet address = 216.33.151.135
ns1.hotmail.com internet address = 207.82.250.83
ns3.hotmail.com internet address = 209.185.130.68
ns1.jsnet.com internet address = 209.1.113.3
----
Re:Blammo! (Score:5)
Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.
----
don't work no mo' (Score:1)
----------------- ------------ ---- --- - - - -
CNN's take (Score:1)
Alex Bischoff
---
Re:One Word (Score:1)
DING (Score:4)
Sorry, Billy. Really.
Re:Before anybody starts crowing ... (Score:1)
Re:Web mail (Score:1)
What are the implications? (Score:2)
Microsoft Passport programme? From hotmail.com:
Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!
That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.
Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!
Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?
Re:more info? (Score:1)
Dog bitecha!
CNN says they "tested" it too (Score:1)
Others have mused about the possibility of the Hotmail lawyers coming after people who exercised this security feature. Well, CNN says they did this so I guess they are in the soup too.
Now a buddy of mine says, "Watch M$ turn this around and say they've fixed the problem by switching to NT!"
Arrrrrgggghhh
MS... (Score:1)
What are the chances that MS "allowed" this hole to exsist so they could spread FUD about *NIX.
"This just shows the world that a free OS built by a bunch of hackers in thier bedrooms can't compete with an Industry Supported OS like Windows 2000."
How long till something like that comes out of Redmond?
Re:One Word (Score:1)
Slashdot practicing security through obscuity (Score:1)
--
Re:Before anybody starts crowing ... (Score:1)
1. It's not hotmail per se that was cracked, it was Passport.
2. Passport runs on IIS.
3. ANY OS can be insecure if administered by a fool. In this case, it wasn't the OS, it was the web application.
"The number of suckers born each minute doubles every 18 months."
Re:If the Microsoft passport is the problem (Score:1)
"The number of suckers born each minute doubles every 18 months."
Re:Still working... (Score:2)
And, even if the admins of Hotmail don't read Slashdot or other tech news sites, the massive surge in activity, PLUS the massive surge in accesses of mailboxes should have rung alarm bells from Hotmail to Antarctica and back.
If THAT weren't enough, the admins must be aware of a huge increase in the number of people accessing via a single machine, and via a single method.
If that STILL weren't enough, they must have been notified by now that something's going on.
Finally, if complaints, surging activity from a single computer, news everywhere of the hole, and a massive increase in the use of Passport, were not enough to pull the plug, I'm sure journalists read Slashdot and some may have phoned Hotmail for a comment. System cracking is still news, even these days.
Yet, despite all of this, Hotmail still has that security hole wide open. *SIGH* That is astonishing.
Re:Found the link...too late (Score:3)
Other sites allow you the same. (Score:1)
It seems like Hotmail doesn't check for the password when you first open the mailbox when the referring page is not in Hotmail's domain. Big hairy bug indeed.
Re:One Word (Score:1)
Think again. You are making the famous appeal to Security Through Obscurity. If Passport were open-sourced, people would find the bugs and fix them, instead of sitting on them and hoping no one would notice the way Microsoft does with all its products.
Beer recipe: free! #Source
Cold pints: $2 #Product
party's over. (Score:1)
The real loser isn't MS, its users who needed anon (Score:2)
A lot of people are going to state that these people were stupid for relying on a Microsoft service, but where are they supposed to go? It isn't stupidity so much as a lack of education. This is compounded by the people who are technically capable of doing the educating. Too many of them are too busy looking down at the unwashed masses to communicate the options and hazards involved with the various options.
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile) which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
There are probably others (I don't use anonymous email myself, I do use services that allow me a perpetual email address for non-critical stuff, like providing head hunters a consistant address)
but the only thing you really hear about are Hotmail or Lycos etc.
Microsoft culture, chaos and flawed security (Score:1)
Microsoft have a culture which assumes that networks are controlled and orderly, much like corporate LANs, rather than the chaos of the Internet. This comes up in their assumptions, and their lack of attemption to security. The Microsoft Passport hole is merely the latest example.
Security and platforms (Score:5)
It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.
Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?
Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.
One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?
We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
Re:Secure Web mail PATENT PENDING (Score:1)
So to be useful, you just have to get all of your corresponents to also use HushMail. Right. Forget about all the existing PGP users. And how can you get a patent for something that is already widely available? Why all you have to do is tack 'Roaming User' onto the end of the description and Poof! The software patent fairy grants your wish. Watch out world, I got a patent so I can sue your ass off if I feel like it!
Re:Is it fixed now? (Score:1)
Re:Who do I sue? (Score:1)
And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)
I hope you're not inferring that it's a good idea to pass data through a POP3 server. Not sure if you've encountered this one yet, but POP3 (and most of its kindred) send passwords and mail in the clear, the same way hotmail does. Indeed hotmail would be slightly more secure, since the passwords are likely sent in a POST form, which is mime64-encoded and thus very slightly protected against casual over-shoulder interception. Further, POP is a much more common target for interception since its use is so widespread and the format is quite standardized.
"Secure mail," inasmuch as that can be taken as anything but a contradiction in terms, involves stuff like a secure transmission client, encrypted channels all the way from sender to recipient, storage in encrypted form or on a cryptographic filesystem on a trusted, isolated server, and a secure reception client. At present hardly any such systems exist. The ones that do -- well, they don't run POP3.
Re:Security and platforms (Score:1)
--
Re:more info? (Score:1)
Hee hee... s/ASP/cgi/
So this just means it's lousy coding. No surprise there. cgi-bin's been a scary thing to have on your system for a long time.
Re:Before anybody starts crowing ... (Score:1)
Re:don't work no mo' (Score:1)
So that's why I couldn't read admin@hotmail.com's mailer error messages.
Re:more info? (Score:2)
How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)
I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts
Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.
Btw, someone want to moderate up that (intelligent) AC comment?
Re:One Word (Score:1)
Sujal
Re:Password (Score:1)
Sujal
The address (Score:3)
Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?
Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
Re:The address (Score:5)
http://www.2038.com/hotmail/
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
And conincidentally.. (Score:1)
Microso ft Makes Reading Easier. [zdnet.com]
Yes. It seems they do.
Re:Hotmail is on Unix... (Score:1)
LINUX stands for: Linux Inux Nux Ux X
Re:more info? (Score:2)
-luge
Re:more info? (Score:2)
-luge
Bye Hotmail. (Score:1)
Just pulled ALL my stuff off hotmail (6 accounts) and notified all hotmailers that I know of the crack. Also fired off a nastygramme to Hotmail about their aircraft-carrier-sized hole in security.
I basically mimiced the first guy who responded to this particular post. "Holy crap!"
Chas - The one, the only.
THANK GOD!!!
A matter of time... (Score:1)
Chilli
Re:Blammo! (Score:1)
Chilli
Re:A matter of time... (Score:1)
Chilli
Re:Secure Web mail (Score:1)
Well, in fact many REAL (&safe) encryption algorithms are run in the xor-with-the-plaintext mode. As long as the bitstream that you XOR with is sufficiently unpredictable, that is perfectly safe.
You're thinking about xor-with-a-fixed-string or somethink like that. That's stupid.
You're bashing on XOR for no good reason. Leave XOR out of it....
Roger.
Not stolen passwords (Score:2)
Nature of the exploit (Score:5)
Remember, Hotmail uses both Solaris and NT in various capacities.
Re:Hotmail & security (Score:2)
> I block anything from Hotmail anyway, since only
> spam ever comes from Hotmail, so who cares?
The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.
Here's my procmail recipe which does just that:
:0 H:
* ^(From|X-From-Line|Return-Path):.*hotmail\.com
* !^X-Originating-IP:
junk
Re:Web mail (Score:1)
Re:psycho fud-flingers!!! (Score:2)
It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.
--Joe--
HOW IT WORKS. (Score:5)
Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVIn other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.
--Joe--
Re:Is it fixed now? (Score:1)
Dunno
Web mail (Score:2)
Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.
A generation's defining moment ... (Score:1)
Michael
A generation's defining moment ... (Score:1)
Michael
Re:Who do I sue? (Score:1)
It Only Sorta Works... (Score:1)
IE 4.5 isn't allowed on grounds I don't have cookies enabled. Bullshit; I'm using slashdot.
Just tried a sixth - same effect. I can see a listing but not view email. And the same result with Communicator 4.61-Mac.
Hmmmm....
Re:TOASTED (Score:1)
http://www.microsoft.com/security/default.asp
Re:HOW IT WORKS. (Score:1)
Re:Still working... (Score:1)
BTW it's a public holiday in the UK, so double plus good to the Register.
OTOH, 'there but for the grace of god'. How many of the sysadmins here are > 95% sure they've covered every hole & patched every exploit on every one of their systems ?
Re:Still working... (Score:1)
Re:At last, a credible story to scare my boss ... (Score:1)
At last, a credible story to scare my boss ... (Score:2)
In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.
Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...
how interesting... (Score:1)
Re:Security and platforms (Score:1)
Re: (Score:1)
Probably a bug in their ftpd (Score:1)
Re:The irony is… (Score:1)
I would disagree. My guess is that they gave the job to write the program to some MCSE certified drone. However, of course the guy quickly found that the MCSE doesn't cover CGI, and the guy had no clue. Incompetence reigns within the MCSE "community." Perhaps next time Microsoft will hire a real CGI programmer. Of course, as they point out in their whitepapers, they'd have to pay a Unix CGI programmer more.
-BrentRe:The address (Score:1)
Re:imagine that... (Score:2)
Re:Nature of the exploit (Score:4)
By Design? since MSN Mess hotmail access disabled (Score:1)
MSN Messenger Service disabled?
Since Microsoft has 'fixed' the security hole earlier this morning, my MSN Messenger service will no longer all me to directly login to my Hotmail Inbox. That's the only reason I even use the shitty service...
Coincidence? I think not.
Any MSN Mess users confirm this?
Re:By Design? since MSN Mess hotmail access disabl (Score:1)
Forbidden You don't have permission to access
It's either something on Hotmail's end or something that will require an update for Messenger and how
it connects to Hotmail.
anon.penet.fi -- the real story (Score:2)
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile)
anon.penet.fi, yes. Read the story of its demise [penet.fi].
Key details not found there (unless you poke around some) are that the court case involved anonymous e-mail sent by a critic of the Church of Scientology, a lawsuit brought by Scientologists in Finland against Julf, and the subpoena served on Julf by reluctant Finnish police. Julf had simply hoped this day would never arrive; when it did, somewhat more quickly than he had expected, he was caught off-guard. Since he realized that he did not have the resources to protect the users of the service, he closed it.
which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
Julf did a great job with anon.penet.fi, but let's not oversell it. The anon.penet.fi did nothing more spectacular than remail your text with its headers. There were instances of the service being spoofed, accidentally revealing addresses, and being abused by someone with prior (social) knowledge of the real e-mail address associated with an anon.penet.fi address. And in the end, it all boiled down to Julf: did you trust him? He was honorable, but that wasn't guaranteed.
Nevertheless, many thousands used the service mainly because it was the easiest anonymizer to use. And yes, as many security geeks pointed out endlessly, the ease of use made it more vulnerable than other systems.
Re:CNN is BSing (not really) (Score:2)
The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot. [snip]
Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."
Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of
You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.
WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog. Fortunately ZDNet is reporting that "a simple HTML script" (long way to say "URL") could also thread the security needle.
Re:Isn't ANYBODY the least bit worried?! (Score:2)
If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service.
Uh, actually, no. That should read "to any badly-programmed web-mail service". See, they didn't invent some gosh-darn super-duper smart-agent neural-net jacked-into-the-matrix hack; they found out that Hotmail hadn't locked all the doors, that's all.
(Sadly, that's pretty much the case with ANY system cracking.)
Re:One Word (Score:1)
http://www.machineofthemonth.com/misc/ma0.html
Crack Famous Email (Score:1)
Re:what is obviously being overlooked...by you (Score:1)
No, Microsoft didn't start Hotmail. However, Microsoft did start the Passport integration. In the course of doing this, they modified CGI scripts and failed to think through the security implications of what they were doing. Which is par for the course for MS. End result: because of a stupid error by MS, large numbers of people had e-mail compromised. In any competent setup, this error should be caught before going into production. In most Unix shops, it would get caught. Around MS, failure to catch things like this is endemic, which is why I don't trust their products from a security standpoint. I'm just happy I don't need Hotmail to get Web-based e-mail.
Hotmail is on Unix (Score:2)
Whoops (Score:2)
This is bad... (Score:2)
Re:more info? (Score:2)
So basically what think this is, is simply access to a machine that normally users only get directed to once they've gone through the login process. Also, normally the parameters in Hotmail's URL's are encoded or something, but I wouldn't be surprised if what we see encoded in normal Hotmail access decodes to the URL type syntax this script generates.
I just wonder what a CURMBOX is...
If this is true, it just took someone to decipher the url encoding, and voilá.... and knowing MS, it's probably ROT13 or something.
Still working... (Score:2)
Why don't MS just block requests from the referring host in question? How hard can it be?
Re:I wonder why... (Score:2)
lets face it - security holes pop up on all platforms, *nix, windows, whatever. the key is how a company responds to the holes and m$ doesn't seem to have learned that lesson. they figure they can keep everyone in the dark for as long as possible.
the same thing happened with the big iis hack a couple of months ago
I wonder why... (Score:2)
If you want to try it out... (Score:2)
tabloids first (Score:2)
-
Re:Holy cow (Score:2)
Yipes!
Secure Web mail (Score:4)
This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)
On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail [hushmail.com] for Email with a real security. At least their encryption isn't just XOR-based. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Microsoft Passport "Security" (Score:2)