Microsoft's Hotmail Challenge Backfires

← Back to Stories (view on slashdot.org)

Microsoft's Hotmail Challenge Backfires

Posted by samzenpus on Wednesday April 25, 2012 @09:50AM from the not-the-desired-outcome dept.

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

18 of 453 comments (clear)

Yes, but other than that, how did you like it? by Anonymous Coward · 2012-04-25 09:55 · Score: 5, Funny

Other than that, would this be an experience you would recommend to others?
1. Re:Yes, but other than that, how did you like it? by AngryDeuce · 2012-04-25 10:20 · Score: 5, Informative
  
  It's funny, but that was exactly the same thing that convinced me to leave Hotmail once and for all 2 years ago, and I'd had the same Hotmail email address since before Microsoft even bought it back in the late 90's.
  The thing that really pissed me off was that, when I contacted Microsoft and told them I got hacked and requested they delete the account, they flat out refused to do so, and told me I'd just have to wait until it was deleted due to inactivity. Because I'd had that email address for so long, I had literally hundreds of contacts that got hit with spam messages (to include former employers and companies that I had job applications on file for, how embarrassing THAT was). I wanted the email address dead so that I didn't have to worry about it happening again in 8 months, but apparently that was just too much to ask. My password was not some ridiculous '123456', either, it was a non-dictionary stream of mixed-case letters with numbers and special characters, so simply changing the password was not a satisfactory course of action in my opinion (and I told them that), but of course, what the hell can I do when they just say "no"? Sue them? I wish I had that kind of time and money. For all I know, they could have hacked the email again and reset the clock, but I made sure to delete every contact, set the inbox to exclusive, and set it to delete junk immediately upon receipt before I abandoned the account, so if the assholes manage to steal it again, it won't be much use to them.
  The Xbox Live people were much, much more helpful with migrating my account to Gmail. For the days it took for the Live Mail team to respond to me, I was squared away in minutes with the XBL rep, and we even ended up bullshitting about old school video games for like 25 minutes afterwards.
  Funny how much different two arms of the same fucking company can be.
2. Re:Yes, but other than that, how did you like it? by FrootLoops · 2012-04-25 11:09 · Score: 5, Interesting
  
  How is this Microsoft's problem? The possibilities are...
  (1) A guy writing articles about his new email address used a relatively weak password and someone guessed it
  (2) He logged in on a compromised machine
  (3) Microsoft has a genuine security problem
  The guy leaped right to (3), which seems the least likely to me. Since "my PC login" has also been compromised, (2) seems right. I can't help but feel this would have been pointed out long ago if the service were Gmail instead of Hotmail.
  Before it gets quoted back to me, he justified (3) by saying
  
  although I have to say from anecdotal evidence that Hotmail seems far more susceptible to account hijacking than Gmail.
  That's a very weak argument--it's based on anecdotal evidence and ignores possible differences between user populations. You'd think the editor of a magazine would take the time to write a thorough article instead of a knee-jerk one.
3. Re:Yes, but other than that, how did you like it? by sortadan · 2012-04-25 11:39 · Score: 5, Insightful
  
  Agreed. Unless the hacker exploited a flaw in Hotmail to get the login credentials or it was obtained from some other Microsoft service (highly doubtful), then really it could be the editors fault for either having an easily guessable password (the same as he luggage perhaps), or logging in from a computer that had been rooted and was key logging or whatever.
4. Re:Yes, but other than that, how did you like it? by Smallpond · 2012-04-25 12:59 · Score: 5, Funny
  
  I'm curious to know how strong this password, used in multiple places really was.
  Very strong. Instead of the usual 12345 he used 54321.
5. Re:Yes, but other than that, how did you like it? by PuZZleDucK · 2012-04-25 13:05 · Score: 5, Insightful
  I'll third that. I was appalled with the editors attitude to paswords.
  
  1. He uses all lower case letters [FAIL - you know the rules you work at PCP]
  2. He was shocked one of his services had woken up and hardened its password policy [FAIL - you should be encouraging this kind of behaviour, not dissing it - I'm pissed when I'm _not_ allowed to use special characters]
  3. He obviously has no password managment plans [FAIL - If I had to replace every single one of my passwords today it would be a hasstle but there would be no chance of me not being able to recover accounts the next day]
  I feel less inteligent after having read this article... help me!
  --
  Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
6. Re:Yes, but other than that, how did you like it? by Xeno+man · 2012-04-25 13:47 · Score: 5, Insightful
  
  Don't, they have done it to them selves. If Microsoft stopped forcing it's own software down your throat and gave users choice they would have better products. Windows 8? You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you. Also your default search is Bing, whoops you changed that to Google, lets change that back to Bing because you fucking love Bing, don't you? Don't you!?!
  
  Sometime when products work together they work better but sometimes you need separation between your accounts. If I have an Xbox live account I may want my credit card on there to buy things but if I also have a hotmail account, I may have zero reason for hotmail to have my credit card number. Maybe I want them linked together and to share data and maybe I want them worlds apart and not even know the other exists. Just give me a fucking choice.
7. Re:Yes, but other than that, how did you like it? by Microlith · 2012-04-25 14:11 · Score: 5, Insightful
  
  People do care and do remember, because their OS monopoly is what allowed them to gain a browser monopoly and set the web back several years. They did leverage their position to ensure that non-Microsoft OSes were not distributed on OEM PCs, particularly BeOS which they threatened HP over.
  Please don't shill for Microsoft.
8. Re:Yes, but other than that, how did you like it? by Jah-Wren+Ryel · 2012-04-25 14:22 · Score: 5, Insightful
  
  I feel less inteligent after having read this article... help me!
  And yet everything you listed is typical of regular users and hotmail's target audience is regular users. The author may be a dolt because he failed to apply the expertise that is a requirement of his job, but when you have to be an expert to properly use a consumer-grade service, the real problem lies squarely with the service, not the user.
  
  --
  When information is power, privacy is freedom.
9. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · 2012-04-25 15:35 · Score: 5, Informative
  
  From TFA:
  
  (Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.
  So, seven lowercase letters. And this guy thinks it's "not that weak".
10. Re:Yes, but other than that, how did you like it? by the_B0fh · 2012-04-25 19:18 · Score: 5, Insightful
  
  Does it matter if it is "weak" or not? Unless the hackers compromised hotmail's password file and is busily trying to crack it, it is irrelevant.
  What is relevant is that hotmail is apparently open to being bruteforced. Now, *THAT* is a fail.
Backfires? by busyqth · 2012-04-25 09:56 · Score: 5, Funny

Hotmail sent a message containing a malicious link to all of his contacts
It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
Good job Microsoft!
Re:RTFA by ais523 · 2012-04-25 10:05 · Score: 5, Insightful

No way that a web-based service should allow that sort of dictionary attack to succeed. It's not too hard to deliberately spend a sufficiently long time authenticating someone (especially if there have been a bunch of password failures recently on the account / from that IP) that dictionary attacks become unfeasible; it's not like you get to attack the hash. (Look at Wikpedia, for instance, where three login failures cause you to need to fill in a CAPTCHA to log in.)

--
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Re:that will be a death note to enterprise use by Anpheus · 2012-04-25 10:13 · Score: 5, Informative

If you took the cursory amount of time to research this, you'd find that (a.) no, Microsoft doesn't expect business users to rely on authenticating against Windows Live, and (b.) that Windows Live log in is optional and not necessary, and a local account works just fine. You just don't get access to some easy synchronization items, but you can still access the windows store and apps by manually logging in.
But hey, this is slashdot. Who needs to verify before they make grandiose claims?
It's His Own Damn Fault by smack.addict · 2012-04-25 10:20 · Score: 5, Insightful

His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.
Re:that will be a death note to enterprise use by Zero__Kelvin · 2012-04-25 10:21 · Score: 5, Insightful

... well then ... it's a damn good thing that almost all Windows users are business users then! You know ... because regular folks would probably sacrifice security for usability if they even knew that was what they were doing. Thank God there aren't many of those types with 'puters connecting their tubes to the Internet!

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:RTFA by IamTheRealMike · 2012-04-25 10:33 · Score: 5, Informative

Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.
Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.
I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.
I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.
Re:RTFA by __aawavt7683 · 2012-04-25 12:25 · Score: 5, Informative

This happened to me. Around October last year, I logged in, checked e-mail, and left the tab to do something else. About 20 minutes later, I went back to the tab, clicked Inbox, and... nothing happened. Clicked a few more things, nothing expected was happening. Hit refresh, was redirected to the login page. This is _not_ typical.
When I logged in again, I had 30 bounceback e-mails. I checked sent items, I had 50 new sent e-mails, about 5 addresses each, to my entire contact list with a slew of bad URLs. A couple people contacted me about it. I checked the sent e-mail headers, and the sending IP had an address from Russia, China or some such.
Compromised password? Not likely -- the password on my e-mail is completely unique, had never been used anywhere else, greater than 10 characters, computer-generated. I never type it on public machines, and hadn't used Hotmail on anything but my work machine, home machine (Gentoo) and Ubuntu box in... a long, long time. They would've needed a keylogger to get it. I scanned my work machine for viruses. Nothing. Perhaps there's an Ubuntu bug that somehow got exploited on me, but that box has never connected directly to the internet.
I did some research, and the best that I could come up with is a 2011 attack where if an attacker sent you a bad URL, and you opened the e-mail, they could get your session cookie, log in and act like you. That is the _only_ thing that I found. But it was supposed to be fixed earlier in the year, and I don't recall opening any odd e-mails -- clearing the junk folder, seeing the subject, but not opening them. A few from expected sources, sure, but nothing that struck me as odd.
So I changed my password and immediately stopped using the Hotmail web interface. The problem has not recurred, so suggests it's not an Ubuntu bug. This suggests, then, that there is still a session-hijacking bug in Hotmail somewhere that persists to today.
Don't always assume it's user error if you can't figure out the flaw.