Microsoft's Hotmail Challenge Backfires

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

RTFA

From the article (but curiously missing from the summary):

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.

Re:RTFA

7-letter lowercase password that's not a dictionary word... that's about 33 bits worth. And that's not offline bruteforceable. What kind of retarded system doesn't do *something* after a few BILLION failed login attempts?

Re:RTFA

I'm not so sure, other AC
Any internet exposed service of non-tribal size will tarpit/lockout an account LONG before a string of characters that long is brute forced/dictionaried.

For a long time I've seen a LOT of hotmail accounts compromised. Actually, pretty much everyone I've known that has ever used a hotmail account has had it hacked. I would not be surprised if there's another vector here.

Re:RTFA

[IamTheRealMike]

Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.

Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.

I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.

I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.

Re:RTFA

[__aawavt7683]

This happened to me. Around October last year, I logged in, checked e-mail, and left the tab to do something else. About 20 minutes later, I went back to the tab, clicked Inbox, and... nothing happened. Clicked a few more things, nothing expected was happening. Hit refresh, was redirected to the login page. This is _not_ typical.

When I logged in again, I had 30 bounceback e-mails. I checked sent items, I had 50 new sent e-mails, about 5 addresses each, to my entire contact list with a slew of bad URLs. A couple people contacted me about it. I checked the sent e-mail headers, and the sending IP had an address from Russia, China or some such.

Compromised password? Not likely -- the password on my e-mail is completely unique, had never been used anywhere else, greater than 10 characters, computer-generated. I never type it on public machines, and hadn't used Hotmail on anything but my work machine, home machine (Gentoo) and Ubuntu box in... a long, long time. They would've needed a keylogger to get it. I scanned my work machine for viruses. Nothing. Perhaps there's an Ubuntu bug that somehow got exploited on me, but that box has never connected directly to the internet.

I did some research, and the best that I could come up with is a 2011 attack where if an attacker sent you a bad URL, and you opened the e-mail, they could get your session cookie, log in and act like you. That is the _only_ thing that I found. But it was supposed to be fixed earlier in the year, and I don't recall opening any odd e-mails -- clearing the junk folder, seeing the subject, but not opening them. A few from expected sources, sure, but nothing that struck me as odd.

So I changed my password and immediately stopped using the Hotmail web interface. The problem has not recurred, so suggests it's not an Ubuntu bug. This suggests, then, that there is still a session-hijacking bug in Hotmail somewhere that persists to today.

Don't always assume it's user error if you can't figure out the flaw.

Re:RTFA

[rgbrenner]

sounds like a CSRF vulnerability: http://en.wikipedia.org/wiki/Cross-site_request_forgery

sites should use a session cookie + a unique value submitted with each post form

if a site leaves out the 2nd part, and you visit a malicious site while logged in.. then that malicious page can submit a hidden post form to the site and the site will process it as if you submitted it.

gmail was vulnerable to this a could of years ago

weak password

[cratermoon]

From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'

SSL still isn't the hotmail default!

It's only recently (Nov. 2010) that hotmail even had the option of using SSL:

http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx

And SSL still isn't the default option for hotmail.

Gmail at least had the option for SSL for many many years, and google made SSL the default a few years back (after they got hacked by the Chinese).

Re:that will be a death note to enterprise use

[Anpheus]

If you took the cursory amount of time to research this, you'd find that (a.) no, Microsoft doesn't expect business users to rely on authenticating against Windows Live, and (b.) that Windows Live log in is optional and not necessary, and a local account works just fine. You just don't get access to some easy synchronization items, but you can still access the windows store and apps by manually logging in.

But hey, this is slashdot. Who needs to verify before they make grandiose claims?

It wasn't THAT bad a password actually

[silentcoder]

http://xkcd.com/936/

Truth be told the passwords we actively encourage are no stronger than what he used.
If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.

Re:Epic Fail

Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features

Google does exactly the same thing (even with google Checkout; at least the xbox account can only be used to buy games for that same account).
Apple does the same thing, as far as I am aware.
I'm not saying it's right, but it seems to be par for the course

Re:Yes, but other than that, how did you like it?

[AngryDeuce]

It's funny, but that was exactly the same thing that convinced me to leave Hotmail once and for all 2 years ago, and I'd had the same Hotmail email address since before Microsoft even bought it back in the late 90's.

The thing that really pissed me off was that, when I contacted Microsoft and told them I got hacked and requested they delete the account, they flat out refused to do so, and told me I'd just have to wait until it was deleted due to inactivity. Because I'd had that email address for so long, I had literally hundreds of contacts that got hit with spam messages (to include former employers and companies that I had job applications on file for, how embarrassing THAT was). I wanted the email address dead so that I didn't have to worry about it happening again in 8 months, but apparently that was just too much to ask. My password was not some ridiculous '123456', either, it was a non-dictionary stream of mixed-case letters with numbers and special characters, so simply changing the password was not a satisfactory course of action in my opinion (and I told them that), but of course, what the hell can I do when they just say "no"? Sue them? I wish I had that kind of time and money. For all I know, they could have hacked the email again and reset the clock, but I made sure to delete every contact, set the inbox to exclusive, and set it to delete junk immediately upon receipt before I abandoned the account, so if the assholes manage to steal it again, it won't be much use to them.

The Xbox Live people were much, much more helpful with migrating my account to Gmail. For the days it took for the Live Mail team to respond to me, I was squared away in minutes with the XBL rep, and we even ended up bullshitting about old school video games for like 25 minutes afterwards.

Funny how much different two arms of the same fucking company can be.

Re:Yes, but other than that, how did you like it?

[hairyfeet]

This is also very informative, at least for me, as it gives me one more reason to avoid Win 8 as i had no idea everything in their new appstore was tied to hotmail. So Barance thanks for submitting this article, most grateful. Sorry about the poor bastard that tried Hotmail and got pwned but there is a good reason why many of us avoid hotmail like the clap.

as for feeling sorry for MSFT? the only thing I feel sorry for them for is they are stuck between a rock and a hard place, but that was their own design and shortsightedness so i am having trouble feeling sorry for it. What I mean is that they really need a hold in mobile because the desktop is mature tech and won't be gaining anymore but the only reason people buy Windows is for Windows programs which of course don't run on anything but x86. But of course this is their own fault as Cutler originally designed WinNT to be portable and if they would have maintained that focus instead of going Wintel they wouldn't be screwed out of mobile as they are now as the Windows programs could have run on ARM, or MIPS, or any other chip.

Re:Yes, but other than that, how did you like it?

[symbolset]

In the case of this author he's an editor for a major tech trade online magazine with hundreds of high-speed contacts. He's a prime target, and he's been using gmail without incident for many years. If his computer was compromised to this degree, it would have happened before the Hotmail trial.

Re:Yes, but other than that, how did you like it?

[DavidD_CA]

You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you.

Hello. I am using Windows 8.

I did not need to provide my Windows Live login for anything. While it is suggested, it certainly wasn't required.

I am using the built-in email, calendar, and messenger apps. All of them allow connectivity to multiple services including Exchange, Facebook, and more. (Yes, I can even see my Facebook contacts and events integrated into the various apps.)

And while Windows 8 certainly ships with IE 10, you're not forced to use it. I could have easily installed Firefox and tabbed it to the Metro screen if I wanted.

Re:Yes, but other than that, how did you like it?

[shutdown+-p+now]

From TFA:

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.

So, seven lowercase letters. And this guy thinks it's "not that weak".

Re:Yes, but other than that, how did you like it?

[shutdown+-p+now]

Are you also avoiding Android? Because that requires you to be signed into your Google account to do a lot of useful things (like sync stuff).

On the other hand, just like with Android, you don't have to use your LiveID in Win8.

As for why the guy got pwned... I'll just quote TFA.

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

Re:Yes, but other than that, how did you like it?

It is assuming that the first password is generated by the once-recommended technique of starting with a word (to make it easy to remember) and inserting misspellings and doing character substitutions. E.g. "hackers" -> "h4kk3rz!!52".
It is pointing out that this adds less entropy than just inserting some more random words, while being significantly harder to remember for most people. The words are easier to visualize and associate with other cues.
You would only be correct if the password was generated completely at random, which is often not the case.

Re:Yes, but other than that, how did you like it?

[rbgaynor]

"you don't have to use your LiveID in Win8"

Right. As long as you don't want to do things like, oh I don't know, use the email app to get email, or update the stock apps, or have a Calendar, or have an address book - then yes, you don't need a Microsoft account.

Re:Yes, but other than that, how did you like it?

[shutdown+-p+now]

As long as you don't want to do things like, oh I don't know, use the email app to get email

If your email is a Hotmail account, then you will, of course, need to use that account (which doubles as a LiveID) for that specific app - kinda hard to avoid that part. If you use something else, you don't need a LiveID.

update the stock apps

I'm not sure whether this refers to "update stocks" or "update app". If the former, then you don't need a LiveID for that. If the latter, then you only need to be logged in for as long as it takes to install/update the app (much like iOS).

or have a Calendar, or have an address book -

Nope, not needed.

Re:Yes, but other than that, how did you like it?

[rbgaynor]

Sorry but a lot of the default apps that come with Windows 8 - mail, calendar, address book, app store- won't even let you past the start screen if you don't log in with a Windows ID. Even if you want to use the default Mail app for a non-Hotmail account you need to log in with a Windows ID. Not only that, but Windows 8 pushes you to use your Windows ID as your login for your user account.