Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Hotmail Challenge Backfires

Posted by samzenpus on from the not-the-desired-outcome dept.

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

35 of 453 comments (clear)

  1. Yes, but other than that, how did you like it? by Anonymous Coward · · Score: 5, Funny

    Other than that, would this be an experience you would recommend to others?

    1. Re:Yes, but other than that, how did you like it? by masternerdguy · · Score: 4, Insightful

      I actually feel sorry for M$ on this. They tried so hard and genuinely improved the service and this happens. Still hilarious though.

      --
      To offset political mods, replace Flamebait with Insightful.
    2. Re:Yes, but other than that, how did you like it? by devitto · · Score: 4, Funny

      Other than that, would this be an experience you would recommend to others?

      I can't see why Playstation owners wouldn't migrate.

    3. Re:Yes, but other than that, how did you like it? by AngryDeuce · · Score: 5, Informative

      It's funny, but that was exactly the same thing that convinced me to leave Hotmail once and for all 2 years ago, and I'd had the same Hotmail email address since before Microsoft even bought it back in the late 90's.

      The thing that really pissed me off was that, when I contacted Microsoft and told them I got hacked and requested they delete the account, they flat out refused to do so, and told me I'd just have to wait until it was deleted due to inactivity. Because I'd had that email address for so long, I had literally hundreds of contacts that got hit with spam messages (to include former employers and companies that I had job applications on file for, how embarrassing THAT was). I wanted the email address dead so that I didn't have to worry about it happening again in 8 months, but apparently that was just too much to ask. My password was not some ridiculous '123456', either, it was a non-dictionary stream of mixed-case letters with numbers and special characters, so simply changing the password was not a satisfactory course of action in my opinion (and I told them that), but of course, what the hell can I do when they just say "no"? Sue them? I wish I had that kind of time and money. For all I know, they could have hacked the email again and reset the clock, but I made sure to delete every contact, set the inbox to exclusive, and set it to delete junk immediately upon receipt before I abandoned the account, so if the assholes manage to steal it again, it won't be much use to them.

      The Xbox Live people were much, much more helpful with migrating my account to Gmail. For the days it took for the Live Mail team to respond to me, I was squared away in minutes with the XBL rep, and we even ended up bullshitting about old school video games for like 25 minutes afterwards.

      Funny how much different two arms of the same fucking company can be.

    4. Re:Yes, but other than that, how did you like it? by vux984 · · Score: 4, Insightful

      What makes you think deleting the email account that minute would have made the slightest difference?

      They got in, skimmed it for the contact list, and they are done.

      They don't actually need access to your account to send email masquerading as being from you to spam your contacts from then on.

    5. Re:Yes, but other than that, how did you like it? by PickyH3D · · Score: 4, Insightful

      If you drove a Lexus, then why did you switch to the Yugo? The only serious answer that you can give is that the old-Lexus brand that you knew had failed.

      There are plenty of flavors of Linux, BSD and even Mac OS X if that floats your boat. Being "stuck" with Windows is your own fault, or you if it has applications that you require, then whose fault is that (hint: not the company that wrote the operating system)?

    6. Re:Yes, but other than that, how did you like it? by FrootLoops · · Score: 5, Interesting

      How is this Microsoft's problem? The possibilities are...
            (1) A guy writing articles about his new email address used a relatively weak password and someone guessed it
            (2) He logged in on a compromised machine
            (3) Microsoft has a genuine security problem

      The guy leaped right to (3), which seems the least likely to me. Since "my PC login" has also been compromised, (2) seems right. I can't help but feel this would have been pointed out long ago if the service were Gmail instead of Hotmail.

      Before it gets quoted back to me, he justified (3) by saying

      although I have to say from anecdotal evidence that Hotmail seems far more susceptible to account hijacking than Gmail.

      That's a very weak argument--it's based on anecdotal evidence and ignores possible differences between user populations. You'd think the editor of a magazine would take the time to write a thorough article instead of a knee-jerk one.

    7. Re:Yes, but other than that, how did you like it? by PaladinAlpha · · Score: 4, Insightful

      This would hold water if Microsoft weren't a convicted monopolist.

      They did some things right -- they gambled on backwards compatibility at expense of efficiency and won big-time. But they pulled a lot of dirty tricks, too, and their market position partly reflects that.

    8. Re:Yes, but other than that, how did you like it? by sortadan · · Score: 5, Insightful

      Agreed. Unless the hacker exploited a flaw in Hotmail to get the login credentials or it was obtained from some other Microsoft service (highly doubtful), then really it could be the editors fault for either having an easily guessable password (the same as he luggage perhaps), or logging in from a computer that had been rooted and was key logging or whatever.

    9. Re:Yes, but other than that, how did you like it? by Smallpond · · Score: 5, Funny

      I'm curious to know how strong this password, used in multiple places really was.

      Very strong. Instead of the usual 12345 he used 54321.

    10. Re:Yes, but other than that, how did you like it? by PuZZleDucK · · Score: 5, Insightful

      I'll third that. I was appalled with the editors attitude to paswords.

      • 1. He uses all lower case letters [FAIL - you know the rules you work at PCP]

      2. He was shocked one of his services had woken up and hardened its password policy [FAIL - you should be encouraging this kind of behaviour, not dissing it - I'm pissed when I'm _not_ allowed to use special characters]

      3. He obviously has no password managment plans [FAIL - If I had to replace every single one of my passwords today it would be a hasstle but there would be no chance of me not being able to recover accounts the next day]

      I feel less inteligent after having read this article... help me!

      --
      Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
    11. Re:Yes, but other than that, how did you like it? by Xeno+man · · Score: 5, Insightful

      Don't, they have done it to them selves. If Microsoft stopped forcing it's own software down your throat and gave users choice they would have better products. Windows 8? You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you. Also your default search is Bing, whoops you changed that to Google, lets change that back to Bing because you fucking love Bing, don't you? Don't you!?!

      Sometime when products work together they work better but sometimes you need separation between your accounts. If I have an Xbox live account I may want my credit card on there to buy things but if I also have a hotmail account, I may have zero reason for hotmail to have my credit card number. Maybe I want them linked together and to share data and maybe I want them worlds apart and not even know the other exists. Just give me a fucking choice.

    12. Re:Yes, but other than that, how did you like it? by DavidD_CA · · Score: 4, Informative

      You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you.

      Hello. I am using Windows 8.

      I did not need to provide my Windows Live login for anything. While it is suggested, it certainly wasn't required.

      I am using the built-in email, calendar, and messenger apps. All of them allow connectivity to multiple services including Exchange, Facebook, and more. (Yes, I can even see my Facebook contacts and events integrated into the various apps.)

      And while Windows 8 certainly ships with IE 10, you're not forced to use it. I could have easily installed Firefox and tabbed it to the Metro screen if I wanted.

      --
      -David
    13. Re:Yes, but other than that, how did you like it? by Microlith · · Score: 5, Insightful

      People do care and do remember, because their OS monopoly is what allowed them to gain a browser monopoly and set the web back several years. They did leverage their position to ensure that non-Microsoft OSes were not distributed on OEM PCs, particularly BeOS which they threatened HP over.

      Please don't shill for Microsoft.

    14. Re:Yes, but other than that, how did you like it? by Jah-Wren+Ryel · · Score: 5, Insightful

      I feel less inteligent after having read this article... help me!

      And yet everything you listed is typical of regular users and hotmail's target audience is regular users. The author may be a dolt because he failed to apply the expertise that is a requirement of his job, but when you have to be an expert to properly use a consumer-grade service, the real problem lies squarely with the service, not the user.

      --
      When information is power, privacy is freedom.
    15. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · · Score: 5, Informative

      From TFA:

      (Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.

      So, seven lowercase letters. And this guy thinks it's "not that weak".

    16. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · · Score: 4, Informative

      Are you also avoiding Android? Because that requires you to be signed into your Google account to do a lot of useful things (like sync stuff).

      On the other hand, just like with Android, you don't have to use your LiveID in Win8.

      As for why the guy got pwned... I'll just quote TFA.

      (Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

    17. Re:Yes, but other than that, how did you like it? by tobiasly · · Score: 4, Interesting

      This is also very informative, at least for me, as it gives me one more reason to avoid Win 8 as i had no idea everything in their new appstore was tied to hotmail.

      Haha no kidding. I wonder if they still delete your Hotmail account if you don't log in for 30 days or whatever. Because that would be awesome to find out all my purchased apps were inaccessible because they deleted my "inactive" account...

    18. Re:Yes, but other than that, how did you like it? by Anonymous Coward · · Score: 4, Informative

      It is assuming that the first password is generated by the once-recommended technique of starting with a word (to make it easy to remember) and inserting misspellings and doing character substitutions. E.g. "hackers" -> "h4kk3rz!!52".
      It is pointing out that this adds less entropy than just inserting some more random words, while being significantly harder to remember for most people. The words are easier to visualize and associate with other cues.
      You would only be correct if the password was generated completely at random, which is often not the case.

    19. Re:Yes, but other than that, how did you like it? by the_B0fh · · Score: 5, Insightful

      Does it matter if it is "weak" or not? Unless the hackers compromised hotmail's password file and is busily trying to crack it, it is irrelevant.

      What is relevant is that hotmail is apparently open to being bruteforced. Now, *THAT* is a fail.

  2. Backfires? by busyqth · · Score: 5, Funny

    Hotmail sent a message containing a malicious link to all of his contacts

    It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
    Good job Microsoft!

  3. Epic Fail by girlintraining · · Score: 4, Insightful

    Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features

    So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.

    Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Epic Fail by Anonymous Coward · · Score: 4, Informative

      Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features

      Google does exactly the same thing (even with google Checkout; at least the xbox account can only be used to buy games for that same account).
      Apple does the same thing, as far as I am aware.
      I'm not saying it's right, but it seems to be par for the course

  4. weak password by cratermoon · · Score: 4, Informative

    From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'

    1. Re:weak password by cratermoon · · Score: 4, Insightful

      Could be any of those things, or all of those things. In a fully Microsoft monoculture of shared architecture and sloppy security practices, it only takes one weak link to break the whole chain.

  5. Re:RTFA by ais523 · · Score: 5, Insightful

    No way that a web-based service should allow that sort of dictionary attack to succeed. It's not too hard to deliberately spend a sufficiently long time authenticating someone (especially if there have been a bunch of password failures recently on the account / from that IP) that dictionary attacks become unfeasible; it's not like you get to attack the hash. (Look at Wikpedia, for instance, where three login failures cause you to need to fill in a CAPTCHA to log in.)

    --
    (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
  6. Re:that will be a death note to enterprise use by Anpheus · · Score: 5, Informative

    If you took the cursory amount of time to research this, you'd find that (a.) no, Microsoft doesn't expect business users to rely on authenticating against Windows Live, and (b.) that Windows Live log in is optional and not necessary, and a local account works just fine. You just don't get access to some easy synchronization items, but you can still access the windows store and apps by manually logging in.

    But hey, this is slashdot. Who needs to verify before they make grandiose claims?

  7. It wasn't THAT bad a password actually by silentcoder · · Score: 4, Informative

    http://xkcd.com/936/

    Truth be told the passwords we actively encourage are no stronger than what he used.
    If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.

    --
    Unicode killed the ASCII-art *
  8. Not uncommon by krelian · · Score: 4, Interesting

    This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.

  9. It's His Own Damn Fault by smack.addict · · Score: 5, Insightful

    His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.

  10. Re:that will be a death note to enterprise use by Zero__Kelvin · · Score: 5, Insightful

    ... well then ... it's a damn good thing that almost all Windows users are business users then! You know ... because regular folks would probably sacrifice security for usability if they even knew that was what they were doing. Thank God there aren't many of those types with 'puters connecting their tubes to the Internet!

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Re:RTFA by IamTheRealMike · · Score: 5, Informative

    Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.

    Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.

    I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.

    I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.

  12. Re:that will be a death note to enterprise use by Anpheus · · Score: 4, Interesting

    That's irrelevant though, and you're just picking a fight. I was responding to Joe_Dragon's completely inane objection to Windows 8 from a business standpoint, see his title: "that will be a death note to enterprise use". No, it won't be, and I explained why.

    Do you want to engage on a debate on Windows Live logins as well? Because you should know before you start that the Windows Live login has minimum security requirements, doesn't appear to store the Windows Live password locally, and appears to follow some pretty damn good security practices. Now, I haven't fully verified all of these claims, but the login process for Windows Live login appears to use local passwords and certificates to verify the local account password against The Cloud(tm) when available. This is actually an astoundingly good process, as I don't think the hash of the Windows Live password is ever stored on the computer, rather, it can be used to access the local password, but I don't think physical access to a Windows 8 machine can possibly give you access to a user's Windows Live credentials. You can only gain access to local, unencrypted data.

    There are bits of this I haven't verified, but are based off hunches of exploring the system and poking and prodding it. I haven't disassembled the login routines to verify what I think is happening is the actual process, but it appears that Microsoft has very much followed good security practices here. I was extremely impressed to notice that enabling Windows Live login merely downloads a certificate to the user's local certificate store (encrypted by a local password) and that other mechanisms appear to be in place to mitigate security risks.

  13. Re:RTFA by __aawavt7683 · · Score: 5, Informative

    This happened to me. Around October last year, I logged in, checked e-mail, and left the tab to do something else. About 20 minutes later, I went back to the tab, clicked Inbox, and... nothing happened. Clicked a few more things, nothing expected was happening. Hit refresh, was redirected to the login page. This is _not_ typical.

    When I logged in again, I had 30 bounceback e-mails. I checked sent items, I had 50 new sent e-mails, about 5 addresses each, to my entire contact list with a slew of bad URLs. A couple people contacted me about it. I checked the sent e-mail headers, and the sending IP had an address from Russia, China or some such.

    Compromised password? Not likely -- the password on my e-mail is completely unique, had never been used anywhere else, greater than 10 characters, computer-generated. I never type it on public machines, and hadn't used Hotmail on anything but my work machine, home machine (Gentoo) and Ubuntu box in... a long, long time. They would've needed a keylogger to get it. I scanned my work machine for viruses. Nothing. Perhaps there's an Ubuntu bug that somehow got exploited on me, but that box has never connected directly to the internet.

    I did some research, and the best that I could come up with is a 2011 attack where if an attacker sent you a bad URL, and you opened the e-mail, they could get your session cookie, log in and act like you. That is the _only_ thing that I found. But it was supposed to be fixed earlier in the year, and I don't recall opening any odd e-mails -- clearing the junk folder, seeing the subject, but not opening them. A few from expected sources, sure, but nothing that struck me as odd.

    So I changed my password and immediately stopped using the Hotmail web interface. The problem has not recurred, so suggests it's not an Ubuntu bug. This suggests, then, that there is still a session-hijacking bug in Hotmail somewhere that persists to today.

    Don't always assume it's user error if you can't figure out the flaw.

  14. Re:RTFA by rgbrenner · · Score: 4, Informative

    sounds like a CSRF vulnerability: http://en.wikipedia.org/wiki/Cross-site_request_forgery

    sites should use a session cookie + a unique value submitted with each post form

    if a site leaves out the 2nd part, and you visit a malicious site while logged in.. then that malicious page can submit a hidden post form to the site and the site will process it as if you submitted it.

    gmail was vulnerable to this a could of years ago