Slashdot Mirror
Hotmail Hacked
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
Score: -1, Redundant
"He was a wise man who invented beer." -- Plato
"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.
I/O Error G-17: Aborting Installation
You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.
Gates' Law: Every 18 months, the speed of software halves.
Guess they haven't gotten rid of Code Red yet!
(For the humor impaired: no, I did not actually do the telnet session.)
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Now anyone can get in and read all the porn ads I get in my hotmail inbox.
The Internet is generally stupid
A monopoly is a scary thing.
Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.
Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
For script kiddies who don't want to be bothered with the detailes, there's even a Windows program that automates the process.
blah blah, we expect this from MS... blah blah, when will they get their act together...
This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:
http://www.securityfocus.com/archive/1/205785
- tre
http://piclabs.com
"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."
Like Taco said...you just can't make this stuff up. That response is just too funny.
Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."
Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.
Hopefully they'll be good sports and also get me a lower interest rate on my home.
Rudimentary Treatise on the Construction of Locks
A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.
Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.
...The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of publicity. In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will posess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
1. Log into hotmail normally.
2. Type in this link:
http://pv2fd.pav2.hotmail.msn.com/default.ida?XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
8 %u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
1b%u53ff%u0078%u0000%u00=a HTTP/1.0
Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.
Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.
"(pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)"
This suit is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
AOL: You've got mail!
Hotmail: You've got someone else's mail!
I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.
This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.
If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.
creation science book
But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.
There was a great Salon article by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:
Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."
Fat chance.
I wonder if this time will be different...
My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.
Research by wAwAsAn4
wAwAsAn4@root-core.com
Web: www.root-core.com
Email: [Digital-Vortex]@securityfocus.com
Voila.
Looking for a great online backup: Green Backup
But when you start to consider that the super-duper-top-secret algorithm for encoding message numbers constitutes "encryption" according to some, then it's protected under the DMCA.
You have just published a "Circumvention Algorithm."
Shame on you. No doubt the FBI is on their way to your house to slap you on the wrists with wet noodles. Oops, I mean slap you in irons. The wet noodles are for Microsoft under the new Punitive Actions for the antitrust suit.
The living have better things to do than to continue hating the dead.
you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here. Warning about the code however:
a) it's in VB
b) you'll see methods like this:
Public Sub ii(MSG As String)
l_info.Caption = ">" & MSG
End Sub
are there no coding standards even among hacks?
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
That's okay.
Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.
Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.
When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.
--Blair
P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.
Does anyone else think that "crackers can read your email" is something Chef from South Park would say?
CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!
STAN: Holy crap!
CARTMAN: You guys are so lame.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Perhaps your middle school doesn't have email accounts and you have to use Hotmail, but the mere fact that you have a Hotmail account- which, apparently, you use at least for unimportant stuff- means Microsoft has one more user to brag about to advertisers. Obviously it isn't such a big piece of shit, or you'd use Yahoo! or some other free webmail service.
If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.
Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.
Just read this l33t article on "How To Become a Hacker", and you'll be hacking into people's mail before you know it!
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.