Slashdot Mirror
Another Hole in Hotmail
Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
Same kind of thing when you go to an AOL chatroom and tell them they can get your pic by pressing ALT+F4, it's been around forever, but the cluebies still fall for it. Idiots. :\
Slashdot poll suggestion:
In order to continue reading the pr0n trolls on Slashdot, you must pour a bowl of hot grits into your hard drive right now, and click OK. Do you wish to continue?
(Glossary: "hard drive" is usually used to denote the secondary storage device on your computer...)
Poll Mastah
Message I got when deleting my spam bucket:
Message to Hotmail Members
We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience.
© 2000 Microsoft Corporation. All rights reserved. Terms of Service Privacy Statement
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.
Would they?
#!/usr/bin/perl -w
open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;
while (<COOKIE>) {
if (/slashdot/) {
chomp;
my @args = split;
my $cookie = pop @args;
$cookie =~ s/\%25//g;
print pack("H*", $cookie), "\n";
}
}
--
Xenu loves you!
Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
Hotmail stores your user information in a session cookie, not a persistent (disk) cookie. If you close all your browser windows and access hotmail again, you are required to enter your password again... unlike Slashdot I might note.
I know the session cookie has an expiration period, but I don't remember what it is. Probably something like 20 minutes.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.
This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.
But then again, I rarely. So who. Well!
Right?
The point was that people don't read the dialog.
;), but normally it is not what you want. The point of the poster you replied to was that the user doesn't need to know that formatting is bad and thus you don't know for sure 1 out of 3 users don't read dialog boxes.
Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla
Thimo
--
Avoid the Gates of Hell. Use Linux!
Not automatically: the items still have to be selected in order to be viewed. However, that's enough for the script to run and capture session data.
I developed it on paid time, it was company property. I didn't keep a copy (I don't use Windows at home for anything but games, so I wasn't tempted).
I was pretty sure it would spread to millions of computers, and I'd get a bonus. Instead I got a pat on the back from the guy in the next cubicle (who didn't install the software either), and the company refused to hire me as a regular employee when my co-op term ended (despite demonstrated ability as one of their best programmers, and their desperate need for a rewrite of an in-house package I was intimately familiar with, I was "unqualified" without a degree). Very disappointing.
the tricky part about this is that you don't need to click on the attachment. Hotmail, just like many of the other newer email clients, recognizes it as html code, and embeds the html page into the page automatically. Unless you've changed settings, this will happen without you actually doing anything.
it's not a vbs file. it's an embeded javascript. there is no virus check run because it's not a virus and there isn't an anti-virus that checks for potentially malignant javascript. Hell, the creator only had to identify the cookie, the username, and the server the cookie was being held on, and automatically send all of this info to another account (which could have been a hotmail account)
Not everyone had to actually open the attachment.
What kind of grammer is that?
With very what?! Egads.
Linux Band Bratwurst Orange
Beos Band XIR: Xir is recursive
when Push Comes to Shove
Seth
$5 / month hosted VPS on linux = awesome!
I was nothing short of amazed at how many people clicked OK. It must have been at least a third, if not half.
Got Rhinos?
You punk kid virus writers are becoming lazy no-goodniks who just want to live off the government dole! Back when I was a kid, we had to walk 7 miles through unsorted punchcards if we wanted to write a virus; and we didn't have no fancy-schmancy new-fangled "scripting languages", neither, nosirree, we had to imprint the binary on cardboard boxes, which in turn we'd mamble famble until they'd turn into finely crafted executables, yes sirree.
Free music from Jack Merlot.
From the ZDNet article:
Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user?s cookie to the hacker.
Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here for a description of the trick.
<snip>
Not a 'trivial bug'
Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.
Best I could see, theres no email floating around doing this - its just an idea at this point. And for it to propagate(sp?) like luvbug or melissa, it'd need a script to use the hotmail address book. As it sits right now, it'd just come from one guy who knew lots of hotmail addresses. Someone correct me if I'm wrong on this, tho :)
-----
If Bill Gates had a nickel for every time Windows crashed...
What I saw made me laugh over and over again. The news people on almost every channel gave the following advice.
1.) If you get an e-mail that your not expecting (hmmm all of them!) call the person and ask them if they sent you mail.
Why don't you just drive over to their house and ask them.... DUH!
2.) Make sure you virus software is up to date.
Hello! This didn't work and wouldn't work because this was a NEW virus. They had a virus defintion only hours after the bug hit! What good would it have done!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
If you click here a message declaring your love for Bill Gates will be posted to Slashdot in your name.
Any takers?
numb
Ok, while I disagree with your point in general, I will concede that it is the meaning of a sentance that makes the most difference. However, a trailing adjective/adverb that modifies nothing is a problem anyone can be justified complaining about. This is why it bothers us when we see stories that have sentances that just
That way I have something to point to when someone asks me if it's OK to open email attachments. Doesn't work too well over the phone, but I'm sure I could make use of a suitable GIF on the web server..
73 de N5VB (ex-KD5BIV) AR SK
Here's the exploit:
1) Find a story about technology (if your name is "Katz" this step is unneeded)
2) Skim the headline of said story to "get the gist".
3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.
For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.
What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
How this seems to work is that someone emails you an HTML file as an attachment.
If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.
These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.
It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.
Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
-Ciaran
Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>
I just want to take over the world...Why does that automatically make me EVIL?
Anyone who falls for something like that DESERVES to face the consequences...
if they didn't learn all the times that the services say "DON'T GIVE YOUR PASSWORD OUT TO ANYONE", then maybe that will teach them a lesson.
-- Dr. Eldarion --
It's not what it is, it's something else.
To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?
When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.
If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.
Got Rhinos?
the windoze default setting is to 'hide' the three letter file extenstion. If the attached file was named noodiepic.jpg.vbs, it would appear as noodiepic.jpg . Most people would feel safe (yet perverted) by opening this.
After our beloved NTServer was 'Loved', the people with this setting only noticed the jpg icons had changed and kept infecting away. I changed this setting on all infected users to help remind them what file type it actually is.
Hey, leave comments about my mother out of this!
I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.
The Economics of Website Security
I still have my hotmail account, I use it as my "spam bucket". You know those free website that offer free accounts (like the new york times), but you have to give them you email address? Also when registor with search engines, sign up FREE to win crap out there, just use a hotmail account and see how long it takes to fill completly full with spam (it took mine 3 days!)...
A neat treat though, just put a filter in to filter out anything with 'A' in the subject, they allow like 5-10 filters, so delete everything that has a vowel in the subject line!
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
I've had a hotmail account for about 3 years and I still use it.
:)
Everytime I sign up for anything on the internet, anytime a webpage asks me for email, any time I have to put in an email address to 'register' a program, or any convention I sign up for, I put in my hotmail address... They then usually ask me a bunch of personal questions. I'm always 25-35 male, I make $100,000+/year and am single. And when you see all those little boxes where you check off your interests? Well, I check them all. Then I check (or uncheck) those boxes that ask me if I want their monthly, weekly, daily email magazine. Oh, and I want all the updates whenever they update their software/web page, etc...
I currently get 7-8 emails a day at that address.. about twice a week I get one from Hotmail Staff telling me my mailbox is full..
That is *absolutely* the case. That's why the ILOVEYOU virus author renamed files not from file.ext to file.vbs but to file.ext.vbs.
Moderate Chris Hiner's post UP.
The proper extension for a Word file with macros is ".dot", because it's a template (a Word template is a dynamic object which produces documents, a Word document is a static object and can't contain code) - just because Word is too stupid to complain if you name it ".doc" doesn't change that. What you're saying is like insisting that a ".jpg" can hold formatted text, arbirary JavaScript, and hyperlinks because if you rename an ".html" file to ".jpg" IE will still open it as HTML.
At any rate, my program detected macros in files with the extension ".doc". It wasn't a program idea, it was a working program that I tested and proved effective.
From http://www.emergency.com/wordvrus.htm:
An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.
I hate pathetic morons who go around insulting people for imagined mistakes without checking their facts.
I bet in the UK you couldn't sue a restaurant (and win) because you spilled coffee on yourself.
-- Dr. Eldarion --
It's not what it is, it's something else.
At a certain large Canadian technology company, after having the email shut down by a Word macro virus panic, I once wrote a program that identifies attachments with a ".doc" extension that are actually ".dot" files (Word document templates that could contain macro viruses). If it was a real ".doc", it just opened the file with Word; if it was a ".dot", it put up a dialog box with big biohazard signs that said "This is a falsely labeled file! It could carry a virus or trojan horse! ARE YOU SURE YOU WANT TO OPEN IT?"
Everyone who saw it, including my boss, agreed that it solved the problem completely. However, nobody installed it, and nobody outside of my department was shown it. It was almost certainly deleted shortly after I left the company, and the vulnerability (to a few specific viruses) solved several months later by purchasing expensive anti-virus software.
Home users have an excuse: most of them are ignorant. They have a vague idea of some portion of what's on their hard drive and what's on the internet, and of the difference between an application and a document. Corporations, though, want a simple solution: money out, invulnerability to viruses in. The answers have been jumping up and biting them on the nose from any halfway decent MIS department, from security websites, from annoyed articles in the trade papers, but the managers involved want their computers to "just work", and not be bothered with having to think (or making all their employees apply common sense, which, I must admit, is about as difficult as teaching cats to march in formation).
My wife uses Hotmail, because she likes the convenience of getting her mail through a web browser, from any computer. I've seen a few apps for Linux that allow you to pull your mail off a POP or IMAP server, and access it through the web (ACME mail comes to mind - http://www.astray.com/acmemail/)
Has anyone used this, or similar programs? How well do they work? How insecure are they?
It'd be nice to set up an alternative web mail system....
---
Oh, yes. I've actually suggested we do something similar at our company. We send out HTML emails to our customers. The URL in the IMG tag doesn't have to be an image at all--it can be a CGI page which redirects to an image. Throw a couple of parameters (like a user-id) into the URL, and the CGI page can record exactly when users open the email. Nifty, eh? I never thought of capturing the IP address directly (not something we're interested in) but it would obviously be possible.
Wonder if this could be exploited further?
Why would anyone in their right mind let unknown people run foreign code on their machines? Yes, I get executable attachments sometimes myself, but why would I want to run code that does who knows what? I guess I just know too much about the kind of people out there. Yeah, maybe that's it.
Just goes to show, once again, that there are two kinds of people in the computer world -- those who know what they're doing and understand the technology, and those who are along for the ride and depend completely on their "gurus" for anything even the slightest bit off the routine.
I have to rant a little about this because around here 9 times out of 10 people come to me to bail them out when they screw something up, and only one of my jobs pays me for that. I have very little trouble believing that quite a few people would answer "yes" to your question, and not much more trouble believing that they would come whining to more clueful people about getting their files back afterwards.
("No, you don't understand. You FORMATTED the hard drive. That ERASES the hard drive. Unless you backed up those files which were ON the hard drive, they're gone. Sorry
73 de N5VB (ex-KD5BIV) AR SK
So I just tried to send a message through hotmail, and I got a 404-ish error. So I logged back in to Hotmail and later got a message while refreshing saying that the server holding my account was temporarily unavailable. Sounds like they're taking the machines offline to throw in a patch.
I'm hella pissed, though, because the mail I was sending was to a headhunter I've been talking with about a sweet Linux job and I don't know if it went through or not.
It's enough to make a person switch over to PEmail. Old habits die hard, though. I've been using Hotmail since before M$ bought them.
-carl
. We've got computers, we're tapping phone lines, you know that ain't allowed - Talking Heads, "Life During Wartime"
I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
Like the Dilbert comic where the boss becomes irate at a statistic that 40% of sick days are on Monday and Friday.
*gasp*!
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
"If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."
You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
--
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.
--
The shareholder is always right.
It doesn't actually do many of the horrible things associated with the ILOVEYOU crap, but it will let someone else commandeer your hotmail account.
A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
including both median and mean. Anyway, because intelligence isn't really something you can put a real number to, we're free to fake a nice balanced bell curve where the median and the mean are the same. I think it works out that way with I.Q.
From they way this story is worded, I'm led to belive that you could construct a similear javascript to get the cookies from anywebsite.
Just one more reason that I only use crashscape (Which is what I've been calling that program since 1.1 when I first saw it) with sites I trust. Mostly my bank because they require javascript for some reasons (at least to log in, once I'm logged in I've disabled it with no problems, but that is a pain)
What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
(Win98 may default to this too, I don't remember)
I suspect lots of nongeeks leave it at the default...
I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?
Got Rhinos?
People are lazy and don't consider the ramifications of what they do. This puts more burden on programmers to protect idiots from themselves.
There are many alternatives to Outlook Express (in the case of the love bug) or Hotmail, but people that are too lazy to properly evaluate the suitability and safety of their tools will get hurt. This happens with physical tools
That taiwanese-brand hammer is way more likely to split and send shards into your eye, but is that your fault or the manufacturers fault? In the US, it is of course entirely the manufacturer's. In the UK, well, the judge would make an arbitrary partition and say it was maybe 60% the manufacturers fault, and 40% mine. Of course the UK approach is much less sane.
How's "resetting the filesystem" for a name?
Will I retire or break 10K?
I normally use Hotmail through Outlook Express (no flames please; my filename extensions are not hidden). When I get a spammer, I just report her.
Will I retire or break 10K?
On a related note, I heard that studies have shown that half of the population make up 50% of the people.
You've never worked a help desk, have you?
Most people wouldn't think twice about opening a snail mail package addressed to them, even if it has not return address on it, and seems somewhat heavy. That's why the unabomber managed to rack up a pretty decent string before being caught. People don't tend to think that bad things will happen to them when they are using tools that they deal with everyday without understanding.
To put it another way, while most people think of themselves as fairly decent drivers, how often in the past week have you been cut off, or had the guy in front of you make a turn without signalling? People get so used to using tools that they become careless; this is compounded if the person doesn't understand how the tool that they are using works, or at least had it drilled into their heads the way to safely use the tool.
It's just a matter of time before people get more careful about opening things they're not sure are safe. I imagine Thag got a lot more careful with fire after watching Thog torch himself.
"This is your world. These are your people. You can live for yourself today, or help build tomorrow for everyone."
Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:
The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.
Ironically, this information is largely reproduced from the article on Peacefire cited in the original post. No mention of VBS files anywhere.