Hotmail Cracked Badly

Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)

One Word

Microsoft.

Re:One Word

But I thought, I had heard some time ago that Hotmail ran on Solaris.. I thought there was evening a story about MS trying to move it to NT after they bought, but failed.

Re:One Word

> But I thought, I had heard some time ago that Hotmail ran on Solaris..

Uh, yeah. And what's your point? Solaris is just the operating system. It's
Hotmail's/Micro$soft's *application* that's broken.

Re:One Word

i hate frames and cookies...

Re:One Word

Yeah. Keep the code closed. Security through obscurity. Good plan.

Re:One Word

Hmmm, As far as I am aware, MS has not released the source code to NT or Win2K or even Hotmail, yet everybody seems to be able to crack them... No doubt MS will just buy something to provide better security, that's innovation for you :-) Anon

Re:One Word

hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD

Re:One Word

"Security through obscurity" implies that obscurity is the security mechanism. That's different from non-peer-review.

If the mechanism for a passwording scheme is a switch statement with all the passwords inline (obfuscated somehow, obviously, so one can't just run 'strings' on the binary to extract the words) then it is "security through obscurity" to keep the source hidden.

Not submitting your soucre code for peer review isn't the same thing by any stretch of the imagination. It's just one precaution among many that can be taken to preserve a system's security.

Of course, devotees of the warped notion of "peer review" being bandied about in the Open Source(tm) community won't agree, but Peer review used to refer to a review by one's peers, in the sense of a credentialed body of experts. Not "throw it out onto the street and see what happens to it."

Re:One Word

[KaHa]

Sure it's possible. LynxSSL.

Re:One Word

[C.Lee]

Bullshit. Microsoft screwed Hotmail up badly. Compare Hotmail as it was *BEFORE* Microsoft got it's hands on it as opposed to the way it is now. The old Hotmail didn't care what browser you used to acess it. Now thanks to MS, you can't use older browsers or Lynx with it (well you can use lynx but you have to modify it)

Re:One Word

[Q*bert]

And if Passport was Open Sourced (whoever said this should be shot, IMHO), EVERYONE would know how to hack it. My God man.

Think again. You are making the famous appeal to Security Through Obscurity. If Passport were open-sourced, people would find the bugs and fix them, instead of sitting on them and hoping no one would notice the way Microsoft does with all its products.

Beer recipe: free! #Source
Cold pints: $2 #Product

Re:One Word

[scenic]

didn't improve it? Are you serious? It's changed quite a bit since they bought it... not to mention "cool" things like integration with MSFT Passport. Now there's a good idea. Place credit cards, mailing addresses, and passwords into our cool online service so that crackers know exactly where to hit the mother lode.

Sujal

Re:One Word

[heavyd]

I don't think it's possible to use Lynx. See here for why.
http://www.machineofthemonth.com/misc/ma0.html

Re:One Word

[bliss]

I used to do the very thing that you did a while ago. They were a good provider and had autodeletion features (good for mailing lists and such). When they first used cookies that killed me off and then when they decided to use https urls that hurt even worse. Does anyone know of a list of free e-mail providers that are lynx compatable (possible even with autodeletion features?).

Re:One Word

[mpe]

Compare Hotmail as it was *BEFORE* Microsoft got it's
hands on it as opposed to the way it is now.

I wonder if this exploit depends on something MS have
added on.

Now thanks to MS, you can't use older browsers or Lynx
with it

They changed it to requiring SSL wonder why...

Re:One Word

[[TaMRieL]]

LynxSSL. I encountered this when M$ yelled at me for not using SSL. Oh well. At least I now have 128-bit lynx courtesy of replay.com =)
With the new Hotmail it's sooooooooo more secure ... because of SSL, when you use the crack, no-one will know what account you're cracking *grin*
=) d

Re:One Word

[johnwerneken]

Not necessarily. Ms didn't invent Hotmail, probably did not improve it, and may not even have changed it.

Re:One Word

[witz]

It runs on Solaris and FreeBSD.

Re:One Word

[AstralM]

Obviously, since I use IE, I wouldn't have been bothered by this. But in all honesty, Hotmail is now much better than just before MS bought it. The Hotmail website used to take a month and a half to load, and emails took infinity+2 to receive.

If you ask me, MS has made Hotmail a much better service... too bad for the angry, bored geeks who must crack everything MS. If Red Hat bought Hotmail, nobody would've thought of cracking it.

And if Passport was Open Sourced (whoever said this should be shot, IMHO), EVERYONE would know how to hack it. My God man.

-AstralM

more info?

How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)

Re:more info?

Test here: http://www.2038.com/hotmail/

Re:more info?

>I just wonder what a CURMBOX is... Probably the CURrent MailBOX.

Re:more info?

Your .sig: Moxy Fruvus, Right? John.

Re:more info?

Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:

http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=ENTERLOGINHERE&passw d=eh

replace ENTERLOGINHERE with the account you are cracking.

This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.

Re:more info?

[Wansu]

Dog bitecha!

Re:more info?

[gr]

I wrote: Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

Hee hee... s/ASP/cgi/

So this just means it's lousy coding. No surprise there. cgi-bin's been a scary thing to have on your system for a long time.

Re:more info?

[gr]

Anonymous Coward writes
How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)

I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts /. these days).

Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

Btw, someone want to moderate up that (intelligent) AC comment?

Re:more info?

[luge]

Looks like it is gone now- could anyone describe it?
-luge

Re:more info?

[luge]

I take that back. Holy crap indeed. Thank goodness for free school email (not that it wasn't cracked in January, but whatever...)
-luge

Re:more info?

[Bartmoss]

Holy crap......

Re:more info?

[Bartmoss]

Well the how seems "simple"... it's a security hole. In the URL that the little script generates, you can change the password=eh to pasword=xxx, or whatever, and it still works. You can also change the user account name to some other account name and it still works. In Fact, you can have an empty passwd= part in the url and it works....

So basically what think this is, is simply access to a machine that normally users only get directed to once they've gone through the login process. Also, normally the parameters in Hotmail's URL's are encoded or something, but I wouldn't be surprised if what we see encoded in normal Hotmail access decodes to the URL type syntax this script generates.

I just wonder what a CURMBOX is...

If this is true, it just took someone to decipher the url encoding, and voilá.... and knowing MS, it's probably ROT13 or something.

Re:more info?

[tweek]

I said the same thing and then went and told all the people at the office to pull thier hotmail accounts.

Re:more info?

[mwillis]

This is a backdoor, not a crack of the password files. Changing your password does not protect you here.

Re:more info?

[trials_81]

Yeah, it is Moxy Früvous.

Re:more info?

[Iam]

Got cookie problems? I think if you have to many hotmail account cookies, it doesn't let you read any other accounts. To remedy this problem, just delete the few .msn.com and hotmail lines in the cookie file.
Iam

I would if I could, but I can't so I won't.

Re:more info?

[shadowspar]

> I just wonder what a CURMBOX is...

curmbox=ACTIVE: looks like some kind of status flag. Maybe it stands for "Current Mailbox".

Re:more info?

[ufdraco]

Same here. Though I was disappointed that they didn't explain HOW it was done, give any of the code, or anything of that sort. As it is, it is nothing more than a stunt. If they want to hide behind "We're alerting MS to a security hole" they need to do more than just demonstrate the hole. Or did they email MS/Hotmail with the information?

Anyway, thank God I ditched Hotmail a long time ago...

No meat, Commander. I'm hungry.

How do I respond to this? You've given me nothing to work with. No pundant's opinion to read. No way to get the raw details for myself. GIVE ME MEAT!

imagine that...

who would have thought that a NT box would have shoddy security on it? :)

Re:imagine that...

Last time I checked hotmail was using Solaris and/or a BSD. Hmm... How can you possibly find a way to bash NT given those facts?

Slashdot.org
News for lynch mobs. Stuff that matters.

Re:imagine that...

You moron. Hotmail doesn't run NT, it runs Solaris and BSD. Speaking of shoddy NT security have you managed to crack that windows2000test.com box yet? Didn't think so.

Linux: Losers In Need of UniX

Re:imagine that...

[dirty]

First off it's solaris/bsd not NT. Second, it's not an OS related security issue at all. It's just sloppy programming in the hotmail setup itself.

Re:imagine that...

[jwonase]

From my very lame understanding - it's a collaboration of OS's. Including NT with ASP. But, really, does anyone REALLY know all that it uses? Does MS even know what it's using? Hmm...

I could be wrong, so don't take it to heart - this is just what I learned. So go ahead and flame me if you heard different...

Re:imagine that...

[witz]

You people piss and moan about FUD, then you spread it yourself by spreading the incorrect notion that Hotmail runs NT. It doesn't, idiot.


-witz

Hotmail & security

Doesn't make me wonder. Hotmail was always known for security problems. I block anything from Hotmail anyway, since only spam ever comes from Hotmail, so who cares?

(Oh, dammned! I was so tempted to write first post! But thank God I waited a minute and resist the dark side :-)

Re:Hotmail & security

I don't get spam from Hotmail on my main account. Of course, I'm very protective of the one main e-mail I have. I should lok on Deja to see what the reaction is. Read their security page. Changing passwords will not help fix this. I am assuming this at the moment also violates their Trust-E statement since they say that Profiles are kept on a secure server not accessable to the public. But you can get into people's e-mail accounts and view their profile, which make the whole system exploitable. Anyone who sends any credit cards numbers out through hotmail already has a problem. Ooooh, scary! Hotmail's Security Page

Re:Hotmail & security

I block anything from Hotmail anyway, since only spam ever comes from Hotmail, so who cares?

You are an idiot. You get little or no spam from Hotmail. Learn to read headers.

Re:Hotmail & security

I know that's what he meant. That's why I called him an idiot. Hotmail users send little or none of his spam, or anyone else's spam. Pretty much the only spam you'll see with a hotmail address in the headers is from people who forge a hotmail return address.

This is trivial to filter out with procmail, and someone else has posted an example of how to do it. Blocking Hotmail is just plain stupid.

Re:Hotmail & security

[ariels]

> I block anything from Hotmail anyway, since only
> spam ever comes from Hotmail, so who cares?


The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.

Here's my procmail recipe which does just that:


:0 H:
* ^(From|X-From-Line|Return-Path):.*hotmail\.com
* !^X-Originating-IP:
junk

Re:Hotmail & security

[BitchLick]

Obviously what he meant was that he gets nothing but spam from *@hotmail.com (hotmail users).

Mark

Last Straw

That is it, the last straw, I have come to the sorrowful conclusion that Microsoft is sorry and too wrapped up in profit and making thier name larger than it already is, this is just another example of them cutting corners and not taking care of thier customers that support them. I have already began my switch to Linux, with a light version of win98 on my box for the gaming side of the house, I am tired of the bugs, the crappy support, and the flak, M$ has got to go.

Re:Last Straw

Yeah, right. This was "the last straw" and you didn't hate Microsoft~1 two months ago. Uh-huh.

It's a groundswell of grass roots opposition of anti-Microsoft sentiment. Uh-huh.

Open-source Astroturf.

Re:Last Straw

My last straw with MS was last December. I've been Microsoft free ever since. Of course, if the message you were replying to was a fake grass-roots type post, it doesn't make much sense being posted on a pro-Linux site. It would have made more sense to post in a pro-Micosoft site. Astroturfing works only when the people you are trying to reach can see it. Therefore, I conclude it was probably not astroturfing.

Re:Last Straw

[johnhebert]

Welcome aboard. Need any help? :)

Re:Last Straw

[Stonehand]

Just keep in mind that other programs don't have to come from MSFT to be coded badly. Remember the bad ol' days of Sendmail popping up on BUGTRAQ every so often, along w/ imapd and wuftpd? So switch if you like, but don't get too complacent and neglect to lock down a critical box.

You can have the safest OS in the world, and still have lousy security if a single privileged, network-accessible program is written with the slightest bit of carelessness...

Password

I just read about this Passport thing when I visited the hotmail site because of this story. Of course, wouldn't sign up with such a Microsoft thing but maybe it isn't a bad idea - if done right with open source, etc. Like everyone I have zillions of logins that I have to manage. I would like a secure and convenient way to do it. But maybe the only secure way is to avoid trusting some login broker.

Re:Password

[scenic]

It's a good idea, but best left decentralized (i.e. maybe a standard extension in the browser or some such idea). The idea of a single server for this type of information just scares me.... cracked once and a whole lot of people are in trouble. And, by it's very nature, it can't be protected in the same ways as credit card computer systems and bank systems (firewalls and dedicated networks).

Sujal

Re:Blammo!

Here ya go http://www.netcraft.com/whats/? host=www.hotmail.com

Re:More info ?

Checked an old account of mine and no it's not the password.

Re:Before anybody starts crowing ...

Asking people on slashdot not to go apeshit over a story about MS is pointless.

Re:Blammo!

Do you have any proof of this? I have heard this was FUD and MS never had any plans of moving hotmail to NT.

Re:Before anybody starts crowing ...

Asking people on slashdot not to go apeshit over a story about MS is pointless.

Sigh ... I suppose you're right. But as a sometime-member of the clan Anonymous Coward, I hope to bring some respectability to the fallen (if it was ever perched anywhere from which it could fall) house.

How long does it microsoft take to fix this?

Is there anyone with more info on when the bug first showed up,
I would be *very* interested to see how long it takes microsoft to fix this.

Re:How long does it microsoft take to fix this?

[RPoet]

They'll probably release a Hotmail Service Pack sometimes early next year ;)

Logging?

Anyone know if they are currently logging connections or have any way to track people who use this exploit?

Re:Logging?

One would hope so.

Re:Blammo!

so let me see. you don't like NT (that much is obvious), you don't like solaris, i suppose you might have a gripe or two about linux too. and the last piece of free software you contributed is.....

Heh

This is cool, I just read my sisters email and deleted all her spam. Now you can go after any spammers @hotmail.com =)

Re:Heh

[BigDaddyJ]

Heh - you could go in and delete their addressbooks! We should have a feature like this just for spammers.

--bdj

Re:Found the link...too late

Well, one hopes that among the admins at hotmail are /. readers and they're working on it as we speak. If not, well, then somebody should really send them email about the exploit. As much as I don't like MS, there are *real people* (!=MS execubots) with assets that may be put in jeopardy by this.

"See, if you have the goodwill of the community, you can get these things reported to you and fix them without having to face a potentially devastating security breach."

Re:psycho fud-flingers!!!

I can log into my account, but not actually read any of the messages, can anyone else read their messages??

Re:Has anyone tried the crack and got it to work?

Yes. I did. It worked at about 7AM PDT for a couple of minutes, then it stopped working with various errors generated. Noticed the errors when I was in a mailbox and couldn't read the messages (some sort of cookie error, it said). Upon trying a different login, the exploit seemed to not work, generating an error messsage. So, *something* appears to be being done. -Rich

Re:action

Deleting really won't help in the short term. To quote hotmails "trash can" -- "Trash is emptied several times a week" So even if you delete all your stuff now it will linger for a few days.

Microsoft's awake

After reading my own mail, then a friend's mail, then someone's grandmother's mail... a few minutes under "admin" finally reaped a "intrusion alert" message, so hopefully, Microsoft's awake and on the case.

Re:Before anybody starts crowing ...

I like the idea of slashdot alot, I like the slashdot clone sites as well but they just aren't updated as fast as slashdot. If they were I would never have a reason to come back here.

You would think nerds would want facts, instead with slashdot you get second hand FUD. For example, the register (another sad bigioted site) posted a long article about their story on Win64 that corrected a lot of stuff from the first story on that was on slashdot. Was it posted here? Nope.

Was it posted that the Win2k test server has been running great for the last 2 weeks? Nope. Was it posted it is still running great after they opened up more ports? Nope.

There are so many more examples it is sad.

cookies...

hmmn half the time it seems to set the cookie and half the time it won't (ie on some accounts you can read messages and change options and on some you can't)

why?

Re:Blammo!

FreeBSD

reverse FUD?

When you sum this up with other "didnt do their homework bugs",

They seem to have . an ../ etc bugs in ever piece of software they make (netbios/iis)
And get it on world-wide media like:

Another bug in widly used and trusted microsoft product... open-source software seems unafected.

There is a chance that the even the complete microsoft markating dep. cant compensate for the negative news.
This way many people might see that microsoft security isnt trough obscurity, but trough marketing ;-)

Spammer's return mail

Wanna see the kind of return mail spammers get? Try war8989 as a user name. Not Necessarily an AC...

4:30 pm GMT, the hack is still working

Still working, I just checked if my friend got the email I sent him this morning.

I wonder what the PR people at Microsoft will reply to this.

Re:Any links?

Yes, its true. You don't need any specific URL to try it, its just a question of a small piece of HTML code. I have it right here, its just your basic FORM that goes like this; form name="HotForm" action="http://207.82.250.251/cgi-bin/start" method="post" ... and of course, along with a bunch of CGI variables that I won't post here for the welfare of the world. I guess that piece of HTML code is already floating around the world. It's amazing that Hotmail hasn't closed down already, this is old news by now and it still works! (I just tried on my own account!)

HOLY SMOKE! IT WORKS!

.

Here is the source

I hate hotmail
Hotmail Login:
Password:
have fun

Re:tabloids first

For once (S)expressen was actually right, and almost first, about a piece of News

When you want to hassle NT

Spread FUD that NT crashed and burnt when they tried to run NT on hotmail - anythen if you like, try to announce that Hotmail runs on Linux.

But if hotmail gets cracked....it must be running NT.

Losers

Re:Security and platforms

I'm not a security export - what's so bad about sprintf/sscanf?

I can imagine some scheme where cracking code examines an executable for the tell-tale % and then modifies the file so it accepts something else when doing string comparison on passwords. But this would require intimate knowledge of the victim code, and if you know enough to do that, wouldn't you know enough that there would be other appealing places in the code to hack that didn't involve sscanf/sprintf?

I guess I'm wondering what's so special about these that you singled them out.

blaat.

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=LOGINNAAM&passwd=eh

Re:Blammo!

Checking the www.hotmail.com-server only gives you info on what the redirect-machine is running. As you may note when you login on an hotmail- account, or if you find a site with "the hack", the actual "mail-transactions" and so on takes place on different machines (something like w1fd.hotmail.com). You have to check what these are running. Sooner or later I guess you will be finding NT/IIS on some of these. (My asumption is that (in the future ?) MS will have been able to share and reduce the load to so many machines that they can run NT/IIS ... ) /Per

Re:Blammo!

Well lc2.law5.hotmail.passport.com is listed by netcraft as Apache on FreeBSD...

the following URL contains .asp?
http://lc2.law5.hotmail.passport.com/cgi-bin/das p/hminfo_shell.asp?_lang=&beta=&content=ne wlook&ishotmail=1

So they have
A) a custom NT which looks like FreeBSD ...
B) ported ASP to work on FreeBSD
C) configured apache to treat ASP as scripts. why ?


PS www.passport.com is NT /IIS says netcraft

PSS try http://lc3.law5.hotmail.passport.com/cgi-bin/dasp/

see what scripts are on offer ...

Re:psycho fud-flingers!!!

The point is IT IS a shoddy Microsoft programming problem.

Re:Blammo!

... or a more likely explanation is that the server you are seeing is just a reverse proxy with an NT server hidden behind it, surely?

THIS IS *** F *** A *** K *** E ***

The so-called "special form" used didn't even bring you to hotmail, it brought you to their own server made to look just like hotmail with a bunch of fake messages in there. Hotmail runs on BSD using Apache, not anything from MS. While Microsoft owns it, it's still run by the same Unix people as always.

Anybody else smell something fishy here?
HINT: The first word about this came from *.AOL.

No flame, but...

It doesn't use NT. It uses FreeBSD and Slowaris. I've never seen a single doc up there using ASP. All CGI.

oh my bloody god

Wow, this has got to be causing some major forehead smacking at hotmail. check out security, that's some funny shit. arrgh. and what is with all the people blaming the OS for what is simply an administration stupidiy. is it the OS's fault you waltz out of the CS lab to go to the toilet whilst still logged in as root?

Re:oh my bloody god

is it the OS's fault you waltz out of the CS lab to go to the toilet whilst still logged in as root?

Well, yes, it's the OS's fault that so much power is invested in a single root account.

Sitting out at some remote location somewhere on the 'net' and having the adminstrator account for an NT box doesn't necessarily get you very far. Because the system isn't designed with one single "magic bullet" security key as is the case with Unices.

The irony is�

Since this appears to be a stupid CGI bug/human error keep in mind that chances are a UNIX admin wrote the CGI script since hotmail does UNIX.

We now return you to your regularly secluded bashing and close mindedness.

Re:The irony is�

I know a few SysAdmin and Engineer in Hotmail. They're good and they don't have more of a mcse background. The problem is that (somebody has already pointed this out) they really don't care in Hotmail anymore and they all care in m$ stocks and hurry up their vesting time. SeeYa!

Re:The irony is�

[bmetzler]

Since this appears to be a stupid CGI bug/human error keep in mind that chances are a UNIX admin wrote the CGI script since hotmail does UNIX.

I would disagree. My guess is that they gave the job to write the program to some MCSE certified drone. However, of course the guy quickly found that the MCSE doesn't cover CGI, and the guy had no clue. Incompetence reigns within the MCSE "community." Perhaps next time Microsoft will hire a real CGI programmer. Of course, as they point out in their whitepapers, they'd have to pay a Unix CGI programmer more.

-Brent

Wouldn't it be wise to...

Wouldn't it be wiser to inform hotmail before posting this article on slashdot. This way you wouldn't be contributing to all the people who have just had their mail accounts gone through and whatnot. I know slashdot didn't post a direct link to the script but I'm sure they knew someone would.

TRY THIS URL !!!

Try this out: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=ENTERLOGINHERE&passwd=eh replace ENTERLOGINHERE with the account you are testingg.

Re:Blammo!

maybe take the ? out from the .asp?

Internal Server Error

Oops! The server encountered an internal error and was unable to complete your request.

Please contact our server administrator, webmaster@hotmail.com and inform them of the time the error occurred and what activity you


might have been performing just prior to receiving this error.

Server Name: lc2-lfd65.law5.hotmail.com
Your Browser (User Agent) = Mozilla/4.6 [en] (X11; I; Linux 2.2.12 i686)
Last Task (ScriptName) = /home/httpd0/cgi-bin/dasp
RequestMethod = GET

500 Internal Server Error
Internal Server Error
Oops! The server encountered an internal error and was unable to complete your request.

Please contact our server administrator, webmaster@hotmail.com and inform them of the time the error occurred and what activity you might have been performing just prior to receiving this error.


Server Name: lc2-lfd65.law5.hotmail.com

Your Browser (User Agent) = Mozilla/4.6 [en] (X11; I; Linux 2.2.12 i686)

Last Task (ScriptName) = /home/httpd0/cgi-bin/dasp

RequestMethod = GET

TRY THIS URL !!!

Try this out: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=ENTERLOGINHERE&passwd=eh replace ENTERLOGINHERE with the account you are testing.

Security, etc, blah.

I'm on a slow@$$ connection and haven't had the time to check out all of the stories, but the basic understanding that I get is that this individual/group was able to crack hotmail mail accounts by way of a flaw in M$ Passport?

Regardless of the hardware/software they have running for "hotmail.com", regarding the craCkiNg incident, it prompts me to remind everyone of the cliche something along the lines of "it is only secure as the weakest link". So even if you have some mega strong software with 10,240,000-bit encryption, if you have a little flaw that would allow pretty much anyone in, then your security is useless.

I've seen hotmail cracked before, and I've actually found my own back when they were a fledgling newbie e-mail service on the net.. Apparently someone(s) didn't know how to code java/script and/or CGI properly.. the basic exploit I found (2 years ago) was ..
1) enter the user name
2) enter any password you want
3) view the mailbox location in the source
4) copy/paste that in the URL

I know it's pretty lame, but I'm just proving my point that hotmail could have been running on the highest secured Unix/Linux box in the world and not be effective at all.

M$ will have this fixed in a few days guaranteed.

You are in error sir

The Hotmail backend is run by Solaris macines. The front end by a farm of xBSD boxes. Most of the major outages were caused by a port of the backend to NT.

Web pages are by their very nature insecure. I have personally tested many ecommerce sites and THEY ARE FULL OF BUGS. yes thats right, product for free. The hotmail fault was simply a lack of proactive security auditing.

TOASTED

it's 404 error time on 2038.com...it was fun while it lasted. i wonder where else this exploit might be popping up.

Re:TOASTED

[JavaBear]

The page at 2038.com just redirects to :
http://www.microsoft.com/security/default.asp

It's gone.

The cgi script just disappeared off the sever. I guess someone from MS managed to get ahold of the admin and have him take it down. Oh well, it'll probably pop up on another server soon....

well i can read my email

if i go to hotmail via this url hack ?? that's so stupid, it can't be a hack i can open my email

DUDE THIS IS FUCKED !

NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE WWW.2038.COM HAS TAKEN DOWN THE CGI SCRIPT WHICH EXECUTED THE EXPLOIT .. I GUESS THE FUN'S OVER KIDDIES NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE NOTE

Re:DUDE THIS IS FUCKED !

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=USERNAME&passwd=eh If you can't figure it out from there...

Re:DUDE THIS IS FUCKED !

[mustard]

Well, two messages saying the cgi is down, but the exploit is still working on this end. Caching?

It works, buddy, it does!

Hotmail users are in trouble, big, big trouble!

Re:Still working...

Maybe they're collecting IP addresses and building up a portfolio of felony warrants of people being observed exploiting the hole. That would be sweet.

Hotmail EMail Safety link

Check out HotMail's "Email Safety" link off the main page ... it is conveniently dead! Somehow quite fitting.

Re:Holy cow

The hole is wide open. Anything that can be done while "legitimately" logged in can be done through the hole. Sucks, eh?

Yeah, real "sweet", jerky.

Spoof, baby, spoof.

IT STILL WORKS - New Link

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=XXXX&passwd=eh Just replace XXXX with the username of your choice. Out of 6 that I tried, 5 worked. I don't know more than that. A.

Re:Still working...

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=whatever&passwd=eh seems to work still :P ee.

Hotmail is DOWN!

As of a few minutes ago, www.hotmail.com fails to respond. I guess MS is finally aware of the problem? Screw this crap, I'm deleting my Hotmail account as soon as I can get access again.

Re:action

btw - i do not have an account with hotmail, but a lot of my friends do

Friends don't let friends use Hotmail!

It has been fixed...sortof

Apparently you can no longer actually mess with the accounts accessed in that manner, but you can still see inboxes. Not exactly the best fix in the world, but I'm amazed at the response time.
Also, maybe this isn't new, but it seems that the little "passport" icon now says "beta" on the side. Heh.
As for how I got this information, I used it on my own account, so the FBI can just go soak their heads. :)

Re:Hotmail is DOWN!!!!!

hotmail was down weeks ago when their options for deleting entire mailboxes was curiously taken away from the user.

Re:Crack Famous Email

I'm surprised you've posted the above message as a non-AC, considering that you've just publicly advocated a felony. It's probably a good thing you didn't admit you've prowled around in there.

Oh my gosh! My spam is insecure!

This means all that spam I've been diverting to my hotmail account is available for anyone to read!

Re:Oh my gosh! My spam is insecure!

yeap that's where i put those suckers. heheheh

Re:Oh my gosh! My spam is insecure!

[tweek]

Well it looks like things are dead for now. A user who came in late to the office wanted to clean his box out but couldnt get there so I took him via the direct url and now it's saying no permission on /cgi-bin/start so it looks liketheyve closed for good.

Re:The address

My God! Why don't they either fix it or shut it down!!!!!!!!!!!!!

Re:idea?

Sure. They then catch on after the 2,459,596th account you delete.

The operative word is "catch" as they then put you in jail for a long time.

Re:Still working at 11:50am

An article is already on the NYTimes tech pages. The backdoor is still there at 11:50. Why haven't they closed it yet? They truly must not care about security.

Re:UPDATE...

Everytime i try now, i get error 403 forbidden. any suggestions?

Re:Still working at 11:50am

yea and cnn.com frontpage. well, seems they finally plugged it at ~12.01 .. ee.

http://lagparty.org/hotmail/ STILL WORKS

http://lagparty.org/hotmail/

Let me guess

"Thunderstorms" must have caused this :)

Is it fixed now?

I just tried that link and it worked...and then went to show it to someone else and it didn't work... did they fix it???

Re:Is it fixed now?

[Skim123]

I can't get it to work (trying at 1:12 CST) I get a Fobidden, Don't have permissions to access /cgi-bin/ error...

Re:Is it fixed now?

[NoNsense]

I think they have something set up which monitors the IP your coming from, and seeing how your using it. I tried it a few times and it worked, but then it died. Perhaps the system is sort of crippled -- and realizez your multiple attempts using this one url, and blocks you out.

Dunno

Re:Quit while you're ahead.

they can't do that if ypou're testing the integrety of your own mailbox!

.

It worked a couple of minutes ago. www.hotmail.com is now down. Maybe it will be up later on tonight.

Re:More info ?

Seems to be fixed now. I get "HTTP 403 Forbidden..." when trying to use the exploit.

Re:Security and platforms

It seems to me that it should be possible to create a kernel which isn't vulnerable to buffer overflow exploits. AFAIK, they all work by overwriting the stack return pointer so that it jumps to some code they have written onto the stack when the function returns.

I can think of a couple of ways to prevent this from being possible. One would be to rearrange the stack frames so that there are no "trusted" components of the frame (such as return addresses) at higher addresses than user variables. That way, any errant strcpy of whatever will only be able to replace other local stack-based varibles.

Another option would be to place one or more zero bytes between the user variables and any trusted stack frame components. The kernel can then check that the NULL's are still there before using the return pointer (or whatever.) Since it's impossible to put zero's into the middle of a string, this should make it impossible for any buffer exploit to get out of the user data part of the stack undetected.

Of course, this would not prevent an exploit from changing other user variables to some new value. Thus, it may be possible to write a useful exploit this way. I can imagine situations when you could overwrite a UID or path in the function to get root access.

An extreme approach might be to simple take strcpy and sprintf out of the header files, and rebuild everything. Quite a few programs would have to be modified, but the effort would pay off in a much more secure system.

Re:At last, a credible story to scare my boss ...

If you've got people with laptops that contain information about billion dollar deals they should at least be using NT with NTFS, preferably some kind of encrypted file system so if (or when) the laptops get lost or stolen the data is useless to whoever has it. Windows2000 has native support for EFS which works very well. Linux, I belive, has EFS software you could use, but then you'd need to get your boss to switch to Linux.

Re:Before anybody starts crowing ...

Do you have the link to newer article from The Register? They seem to have removed all links to the article from their site.

Re:CNN Coverage

Notice how it is not the leading story over at msnbc.com. Thin line my friends, thin line.

There is no account deletion on demand

Even if you want to delete your Hotmail account, you can't--the account is only deleted after 90 days of inactivity. So, if you already have an account and someone wants to crack into it, the account will not be inactive and won't be deleted (even if you have stopped using it).

The deletion method seems to be a recipe for disaster. Someone could hijack your email address and the only way you would find out is if you check your email at Hotmail. But because you have used your account to check to see if someone broke into it, the account inactivity date will be reset (so the account will be deleted 90 days from the date you checked to see if it was misused). Sort of a catch-22, eh?

Catching someone who just used your account to send messages would be tough. If you want the account deleted, you can't monitor your account for misuse and you can't automatically delete it. If someone misuses your account, there's almost no way for you to know. If someone you know received spam from your account and replied to your Hotmail address, you couldn't find out without checking your account. A cracker could misuse your account and because the account is being used it won't be deleted.

Maybe a few classes on computer security would be helpful for the Hotmail staff--as it is now, how can the Hotmail service be trusted?

Re:changed it a little

Are you getting that URL to work? Cause I'm not....

"Cracked"? No. "Hacked"? No. Broken? Badly.

The problem with the stories on cnn.com and news.com is they don't explain the bypass. The problem is one of crap design, where it doesn't authenticate the password at the mailbox, but just at the front page. I kinda wish they would explain it, instead of just saying these websites had a "crack". Those people could get screwed when MS starts looking for a scapegoat. But when you think about it, all they did was use an URL. There was no scanning, virii, trojans, buffer overflow, etc.

it seems they've fixed it

i've talked right now with an hotmail sysadmin. he told me that they've spent ALL NIGHT trying to figure out what to do, and the only way to fix was taking down some stuff.

Re:it seems they've fixed it

Dude...I was thinking the same exact thing! Man you obviously know more about security than they do. And I I guess I do too...

Re:it seems they've fixed it

it isn't difficult, dude, but remember, they're micro$oft employees :-)

Re:it seems they've fixed it

HTTP_REFERER is very weak security. It's created and sent by the browser, so a knowledgable user can set it to anything he wants it to be. Security holes happen when people don't understand how things work.

Re:it seems they've fixed it

[The_Jazzman]

The thing I don't quite get is is it too difficult to check the HTTP_REFERER setting to see if the request came from HotMail ? Surely that would be a good hotfix to buy more time, and a pretty quick one at that.

Re:it seems they've fixed it

[The_Jazzman]

that's why I said it as a hotfix to buy time... not as a permanent method. By the time it had been figured out by those capable you could have a new system roughly in place...

it ain't working

no way, but good try

Re:Security and platforms

Of course buffer limitations are an issue, but that was true in my intro to programming course in college way back in '80. It was M77 FORTRAN on cards, so there was no sprintf or sscanf, and certainly no crackable hotmail. So again, how do they relate to security such that they were singled out?
-The Same Anonymous Coward As Before

They took fsking forever to pull the plug...

Man I can't believe that...Once you've been violated like that, it's always good policy to pull the plug ASAP. But no, they let it ride for a loooooong time. The exploit's been around a couple weeks too. Pretty stupid... I feel sorry for the poor sods working there...I hope someone's handing out parachutes.

Typing in a valid URL is NOT illegal...

However, for the people who made it easier by putting up webpages (where you only had to type in a username), they could become a scapegoat. The problem is the way all the major news outlets are telling the story. As if it was some special hack that could only be done from said websites. It's great spin for Microsoft, and makes the problem sound somewhat less severe than it really is--"Look these hackers violated our security and allowed others to login!" The truth is, there was no security...

Gonna use the emails to get laid, just like Abe!!

Woohoo, got some juicy emails on female accounts. All kinds of tasty tidbits...girls like to talk don't ya know it!

Now it's time to troll some of the chat rooms they frequent and hook up...

Asshole Abe is my hero! I wanna be a Punk H4x0r Kid too!

more than 12 hours?

It was in a swedish tabloid this morning, and, though the websites are closed, the direct URL given in some comments still work at 18:00 UTC. This means Microsoft lets its users mail wide open for more than 12 hours, AND HAS DONE NOTHING TO PREVENT IT. There isn't even a warning on Hotmail! I can't understand why they don't shut Hotmail down until they fix it.

they don't care !

we have to think that guys at hotmail are just waiting for microsoft being split in msn and microsoft, so they can make more monay on the msn stocks. security? they don't care. customers are not paying, so they really don't care about. and a couple of friends have confirmed this.

Re:Found the link...too late (This here works)

This doesn't really work. I can get into the account, but I can't read the emails or do anything else. It only works on my own account, because the browser uses a cookie to remember my previous login.

It's Microsoft's Problem

Do you understand the concept of ownership?

Microsoft owns hotmail. Period. Therefore, they are most certainly responsible for it; they manage it, their alleged IT experts maintain it.

Do you understand the concept of responsibility? Or are you a moron? Responsibility has nothing whatever to do with NT! It does have something to do with hiring incompetent morons!

Re:Quit while you're ahead.

Gaining unauthorized access to a computer system and/or using computing resources without authorization is illegal. Plain and simple. You can joke about it all you want but seriously, that's it. I like to joke about it now because when I first started using the internet 10+ years ago, that was the only way I could get access.

Here comes the awful house analogy... if you don't have a door on your house, is it illegal for someone to enter your house, sit on your couch and watch TV? Assuming they don't have authorization, it is at a minimum called trespassing. Same thing with computer systems. Even if there is no password to an account, you do not have authorization to that account.

is Microsoft Investor vulnerable (uses Passport)

I just signed up with Microsoft Investor after not having used it for several months. (This site is probably the best use of ActiveX I've ever seen.) They now use a MS Passport account. They sort of implied that in the future you could keep your portfolio contents on their server so you could use Investor on more than one computer (I think the data is currently kept on the local hard drive). Investor also now has integration with about 10 of the biggest internet stock brokers. I sure hope you have to enter a broker specific password before a trade is authorized. Can you imagine the implications. Did anyone out there try getting into Investor?

Re:A major design point.

snprintf is a GNU extension. And just like strncpy, it's a horrible idea. Fixed-length strings are a retarded idea and should have died out 20 years ago when they became obsolete. I mean aren't you C programmers kind of annoyed that you have to make your own good_sprintf(), good_sscanf() and good_gets() to get around stupid fixed-length strings? (Although hopefully you picked better names than I did). C has by far the worst standard library I've ever seen. The language is fine, but the library is not. Whoever came up with the idea that *scanf(), *sprintf() and *gets() should work on pre-malloc()ed (and hence fixed-length) strings deserved a good kick to the teeth.

it's just a 'bug'

and nobody will discover the real problem, m$ marketing will go on convincing people that hotmail is great and it's the only one. and also this break-in will be forgotten soon. remember, is microsoft

Re:Not the first time

yep. there was also another one, which was like an overlay form..basically waited for you to login, and crashed netscape or IE..this lead to *ALL* your email being deleted (YES, ALL THE FOLDERS!) without you even trying to read/clik on anything..it deleted when you logged on...i've seen it in action..pretty effective..switched to another email service when i saw it and deleted my hotmail account.

Re:Isn't ANYBODY the least bit worried?!

That should read "to any badly-programmed web-mail service

hahaha, this is funny, but sadly real.

they work for microsoft. they probably dunno anything about security and probably they have a bunch of idiots leading the team.

Why don't some work?

why do some of the accounts just lead to a "you need cookies enabled" error page? glad i chose rocketmail.. heh

Re:Hotmail & SPAM

One small correction - the latest Outlook Express can handle Hotmail accounts. Hence it would be possible to send mass mailings through Outlook Express and bypass the web style interface.

what is obviously being overlooked...

is that Microsoft didn't start Hotmail, they just bought it out and now promote it. I know that Hotmail had security holes all through it before the buyout, but now that it is Microsoft Hotmail, it is the focus of attack. And of course with that comes all of the blame focusing squarely on MS's shoulders. Are they to blame? Sure. Is it because it is a MS product that is sucks? NO. But of course this is me preaching to the blind and deaf, so I will move on with my life, while you continue to pat yourselves on the back.

Open Source. Closed Minds. We are Slashdot.

Re:what is obviously being overlooked...

Looks like M$ PR people are finally reading slashdot.

MSN tells about it.

It's on the MSN default homepage, multiple times, the article even mentions slashdot.org.

bzzzzzzzzzzzzt! wrong!

MS did NOT try to run Hotmail on NT, I know, I was there.

the Hotmail programmers couldn't program their way out of a wet paper bag. MS had a heck of a time getting their systems to keep working at all.

Snooped on my girlfriend's account ... whaouh

Hah damn it, that was interesting! Maybe I should'nt have done that. Could'nt help though. Well ... that puts you in perspective, I guess. Never trust women!!! As if I did'nt know it ... but somehow I wanted to believe she was different. Ah! That's a good one.

Re:Snooped on my girlfriend's account ... whaouh

I did better, and snooped on my EX-girlfriend's account. It was a religious experience.

Re:Snooped on my girlfriend's account ... whaouh

Well, I'll never trust MEN now... I suppose you think YOU'RE honest, huh... Couldn't wait to stick your dirty little snooping nose into her private affairs... Well, I suppose I can see why she cheated on you. GOOD ON HER!!! PS. Should'nt is spelled shouldn't. Could'nt is spelled couldn't. You can look it up.

Re:Snooped on my girlfriend's account ... whaouh

Well, I guess that she should have become your ex a long, long time ago, maybe that way you wouldn't come out as a jerk you are... good for her! :))) spook

Hotmail cracked AGAIN?

Is this CNN story a rehash of past events, or is hotmail still vulnerable with a slightly different URL? The title says it's wide open, and it's dated about 45 minutes ago, so I guess Hotmail still hasn't totally fixed it.

Re:Hotmail cracked AGAIN?

I have spent all afternoon corresponding with reporters and sending them an address that was posted here (with a different IP address ending in .99), essentially screaming at them that while MS was claiming the fix, the hole remained, lambasting MS for lying about the fix, etc. MS plugged this hole at 4:45 PM eastern today, after the reporter from MSNBC that I tipped off contacted them. There are probably other holes of course. Direct reporting from slashdot, via me, to major media include the stories on msnbc.com and cnn.com Thanks to slashdot and the fact that I had nothing to do today, hopefully our e-mail is a bit more secure. At least until we close our hotmail accounts (opened, in my case at least, long prior to the MS acquisition). -zartan

Re:Blammo!

And that's not the only micro$oft site that is running apache on a unix platform. a friend of mine (micro$oft, not hotmail, employee) just pointed me to this:
homepage.msn.com.

Re:CNN Headlines !

It's not an NT or a BSD bug... it was independent of the OS. It was just plain ol' sloppy CGI scripting. Duh. But Microsoft owns the site, and Microsoft *is* responsible for the site and security.

HERE IT IS!

http://209.185.243.144/cgi-bin/start?curmbox=ACTIV E&js=no&login=USERNAME&passwd=eh replace USERNAME with the person's e-mail.. its neat but dont do anything malicious.. cause then they may kill you.. or worse.. i mean.. its microsoft :o)

Re:HERE IT IS!

yeah, so it like doesn't work and stuff.

Re:HERE IT IS!

get a life !!!!!!

Re:HERE IT IS!

get a life !!!!!!!

Re:HERE IT IS!

[Prince_Rool]

I missed it.../me starts to cry.
Since my account was hacked using this method, I'm screwed. And its the centre of EVERYTHING! My web site e-mails me the password of it when I forget it etc.. I REALLY REALLY REALLY need to know if there's ANY way to hack it at all? (not including a fake login page or something) by the way, Its prool@hotmail.com, reply to p_rool@hotmail.com if you can find it in your hearts. And i'm 12 by the way.

Re:what is obviously being overlooked...by you

Indeed, Hotmail was not originated by M$ and it runs on Unix - but this new exploit, which looks pretty simple, was never out until the new M$ Passport login crap was introduced. Think there might be a connection? Open Mouth. Close Piehole.

Not a bug?

This problem doesn't strike me as looking like a bug.

The problem is not that the password isn't correctly passed to the cgi script, the problem is that the cgi script doesn't implement any pasword verification. It would be a bug if say the web page was returning a "password" parameter, but the script was looking for "passwd" causing logins to fail.

Either they just weren't able to implement a secure login that worked with the features that they want to provide (the passport thingy), or they think that security through obscurity is sufficient. I'd bet that who ever wrote this knew it was a hole; that person probably doesn't keep any important email on HotMail!

I'll be laughin' when the first class-action suit is filed.

they fixed it again... for how long?

hotmail's engineers have fixed the bug removing the cgi page... or they probably just rename it ?

Re:When did they switch to Passport?

Microsoft says "We found it was possible for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages". More accurate: "We found it was possible for a six year old kid to gain access to the Hotmail servers through specific knowledge of reading and being able to type (even slowly with one hand)".

EXPLANATION OF A BUG!!!

This is very funny!! I was just reading mod_perl documentaion when i stumbled upon this:


When you start running your scripts under mod_perl, you might find yourself in situation where a script seems to work, but sometimes it screws up.
And the more it runs without a restart, the more it screws up. Many times you can resolve this problem very easily. You have to test your script
under a server running in a single process mode (httpd -X).

Generally the problem you have is of using global variables. Since global variables don't change from one script invocation to another unless you
change them, you can find your scripts do ``fancy'' things.

The first example is amazing -- Web Services. Imagine that you enter some site you have your account on (Free Email Account?). Now you want
to see what other users read.

You type in a username you want to peek at and a dummy password and try to enter the account. On some services it does works!!!

You say, why in the world does this happen? The answer is simple: Global Variables. You have entered the account of someone who happened to
be served by the same server child as you. Because of sloppy programming, a global variable was not reset at the beginning of the program and
voila, you can easily peek into other people's emails! Here is an example of sloppy written code:

use vars ($authenticated);
my $q = new CGI;
my $username = $q->param('username');
my $passwd = $q->param('passwd');
authenticate($username,$passwd);
# failed, break out
die "Wrong passwd" unless $authenticated == 1;
# user is OK, fetch user's data
show_user($username);

sub authenticate{
my ($username,$passwd) = @_;
# some checking
$authenticated = 1 if (SOMETHING);
}


Do you see the catch? With the code above, I can type in any valid username and any dummy passwd and enter that user's account, if someone
has successfully entered his account before me using the same child process! Since $authenticated is global - if it becomes 1 once it'll be 1 for
the remainder of the child's life!!! The solution is trivial -- reset $authenticated to 0 at the beginning of the program. (Or many other different
solutions). Of course this example is trivial -- but believe me it happens!

Re:Holy cow

There is an inherant problem in all WWW based POP3 email checkers... you are essentially telling a remote site...
Your username on your ISP (name@isp.com>
Which ISP you use (name@isp.com)
Your login password

I wouldn't trust any internet site with that information, no matter how big and friendly they claim to be.

Multifaceted Jimbob

Microsoft's Response

Haha...here's what MS has to say: "Hotmail experienced service issues that have generated questions about security"

Re:Microsoft's Response

http://www.microsoft.com/presspass/misc/08-30hotma il.htm

Re:When did they switch to Passport?

Yee-Haw! Finally, I'm a malicious hacker!

Re:Holy cow

There's just one little thing that you are forgetting here... You mail password and username doesn't have to be the same as your login name and password... Mine isn't, that's for sure.

Hotmail informs about the hack!

http ://lc2.law5.hotmail.passport.com/cgi-bin/dasp/cont ent_secureres.asp?_lang=

Hotmail informs that it's only a potential security issue. They claim they took the server offline, but from what I have read on /., it took far too long. I'm happy I stopped using the service when Microsoft took over, although I believe that the hole has been there for a longer time than just a couple of hours.

Re:Hotmail is on Unix

What you just showed was that the initial web-server is Apache, what's your point? Latest I heard they do run the hotmail-accounts on a MS-platform. They did have some problems initially with the scalability, and had to go to SUN (I think) to straighten things out, but have solved the matter lately. Until now that is.

Re:By Design? since MSN Mess hotmail access disabl

When trying to view a Hotmail inbox of MSN Messenger you get this:

Forbidden You don't have permission to access /cgi-bin/start on this server.

It's either something on Hotmail's end or something that will require an update for Messenger and how it connects to Hotmail. The /cgi-bin/start was the script which let anyone in without a password. They have blocked access to it until they can fix it.

Re:Blammo!

At a recent MS tech conference it was relayed by MS to all of the attendees that hotmail would be converted to a WIN2K/Exchange Platinum environment once both products are commercially available. Some of the major changes that have been made to Exchange were made so that it could handle the type of load that hotmail carries.

A very cunning plan by MS, or a bad mistake?

You realise that this ofcourse could be some kind of plan on MS's part to discredit the security of UNIX and make it appear as though NT is the solution. Perception is everything. They may have finally found a way to get hotmail to run using NT. Then introduced a bug in their security, and distributed to the right person a method for exploiting it. Then when the exploit becomes public knowledge, they switch over to their NT system that took ages to get going and then, say to the world, "Look at how quickly we swapped to NT and got it installed and it works and has no security issues. As you know we had BSD and is was hacked, You should all buy NT". And everyone will believe NT is more secure and Microsoft will come out looking good. Or maybe I'm giving them WAY TOO MUCH credit. John

Re:A very cunning plan by MS, or a bad mistake?

[Dom]

Or maybe it's a convenient way for certain people to read your email as a matter of course?????

Re:Holy cow

He was talking about the pop3 checking. and an excellent point. I will continue to use the feature, but in the future I will not leave that info on my freemail account, just enter it when I need to check.

Re:Hotmail.com on UNIX right?

In case you haven't heard, computers don't run themselves... give a company the best software in the world, and if they're morons, they'll screw it up royally - i.e. Hotmail.

Re:Blammo!

or the early worm get eaten by the bird...

Re:Blammo!

hotmail is running free bsd, and always has. they tried to run it on nt but that did not succeed, so they went back to free bsd. i thought free bsd was pretty secure?

Why Sign With Us?

Your e-mail is private and secure (yeah right! hehehe)

When you sign up for Hotmail, you choose your personal ID and password. The only way you can access your account is by using the password you select. This means that only you will have access to your Hotmail account, even if you use a computer at a public terminal or a friend's house. (unless you use our convenient form based access if you "forget" your password... hehe)

Because the messages in your Hotmail account are stored securely at a central location, you don't have to worry about losing important information if something happens to your computer. (until someone breaks in... heheh)

Hotmail is strongly committed to keeping your personal information confidential. For more information on our Privacy Policy, click here. (the info goes straight to billg's desk. he reads it all! he knows who you are... heheh)

Sign Up Now!

excerpt from: http://lc3.law5.hotmail.passport.com/cgi-bin/dasp/ hminfo_shell.asp?_lang=&beta=&content=wh ysign&us=ws

/. k.d. /. earthtrickle - Monkeys vs. Robots Films

Re:Hotmail & SPAM

It is actually incredibly difficult to send spam from hotmail. It is not a task that is easily automated because you have to go through their web interface for each and every message. Sure you could probably script it with perl, but that is far beyond the skills of 99.999% of the spammers out there.

Instead, when people say that the only thing they get from Hotmail is spam, they probably mean somebody forging mail with headers to look like it is from hotmail. Which is kind of what you said, but unless you read procmail filters it wasn't so obvious.

In your case, the procmail rule won't stop someone who is forging the X-Originating-IP line either, but it is probably good enough for most spammers.

Re:The address

Well this seems to be down. Try http://lagparty.org/hotmail/ instead.

Re:Found the link...too late (This here works)

http://207.82.250.99/cgi-bin/start?curmbox=ACTIVE& js=no&login=&passwd=eh

University of Karlsruhe represent!

Before anybody starts crowing ...

1) We're not told in this story where *exactly* the security hole is (in which part of the system)

2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"

So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.

Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.

Re:Before anybody starts crowing ...

[Agrajag]

Its nice to know that the login form is hosted by a *NIX, but what about the machines hotmail users really use to read their email? Right now I'm reading email on hotmail, and the actual web server it is using is lw4fd.law4.hotail.msn.com and its IP isn't one of the ones that www.hotmail.com points to. Has anyone checked the OS/webserver/etc for these other machines?

Re:Before anybody starts crowing ...

[jafac]

Before you go on the "Linux FUD" defensive, why not read all of the posts and learn a few things:

1. It's not hotmail per se that was cracked, it was Passport.

2. Passport runs on IIS.

3. ANY OS can be insecure if administered by a fool. In this case, it wasn't the OS, it was the web application.

"The number of suckers born each minute doubles every 18 months."

Re:Before anybody starts crowing ...

[gr]

From netcraft:

lw4fd.law4.hotmail.msn.com

lw4fd.law4.hotmail.msn.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD

Re:Before anybody starts crowing ...

[cHiphead]

Oh look, what a coincidence... >2. Passport runs on IIS. Now we start crowing. Bad programming is bad programming, and don't tell us not to bitch at MS for it. And why dont you fuckers ever leave an email? Maybe one of the sane among us (like me, on occasion) would like to find out more about your position (and change it for you..mwhahah.. hehe can't...resist...must..brainwash...) Coming soon to a universe near you..

Re:Before anybody starts crowing ...

[cHiphead]

Oh look, what a coincidence...

>2. Passport runs on IIS.

Now we start crowing. Bad programming is bad programming, and don't tell us not to bitch at MS for it. And why dont you fuckers ever leave an email? Maybe one of the sane among us (like me, on occasion) would like to find out more about your position (and change it for you..mwhahah.. hehe can't...resist...must..brainwash...)

Coming soon to a universe near you..

Re:Before anybody starts crowing ...

[The+Fonze]

> So, don't start going on about how NT sucks like > a bunch of sharks smelling blood. It's
> unbecoming.


for a marine maybe, for a slashdotter...absolutely not.

> - e.g. high-profile incidents like these can
> have an effect on developments in web-related > > industries.

excellent point. another blow to all the poeple who think e-cash/online everything is going to take over all business, BULLSHIT, we can't even keep our mail away from prying eyes, how is anyone supposed to trust a website with their account information? If I need a book, I'll take a ride to barnes-and-noble, and hang out for a bit...if some punk kid tries to steal my credit card, he's going to have to take it from me physically.

Re:Before anybody starts crowing ...

[witz]

Heh. God forbid that MS should patch their *beta* software on that test site.

Re:Before anybody starts crowing ...

[JonK]

Do I take it from this that you never take your plastic out of your wallet? Because if you do, then all sorts of people (shop staff, waiters, call-centre workers etc) all know your credit card details.

Admittedly, modern (i.e. last couple of years) tills and credit card swipe machines have now started printing only the last five digits of your card number on your receipt, but they're still in a minority. The rest have your card number, expiry date, name, inside leg measurement and just about everything else too. Feeling secure yet?

The only way to get round it is to pay cash or cheque for everything, I'm afraid. Wired economy my arse...
--
Cheers

Jon

Proof?

[Gleef]

Why should I prove somthing I never said? I said that MS marketing people have often mentioned they'd like to increase NT's presence at Hotmail, not that there are plans for wholesale conversion.

In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).

----

207.82.250.251

[Gleef]

$ nslookup
> 207.82.250.251
Name: wya-pop.hotmail.com
Address: 207.82.250.251

> set querytype=any
> wya-pop.hotmail.com
wya-pop.hotmail.com preference = 20, mail exchanger = mail.hotmail.com
wya-pop.hotmail.com internet address = 207.82.250.251
hotmail.com nameserver = ns1.hotmail.com
hotmail.com nameserver = ns3.hotmail.com
hotmail.com nameserver = ns1.jsnet.com
mail.hotmail.com internet address = 216.33.151.135
ns1.hotmail.com internet address = 207.82.250.83
ns3.hotmail.com internet address = 209.185.130.68
ns1.jsnet.com internet address = 209.1.113.3

----

Re:Blammo!

[Gleef]

Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.

----

don't work no mo'

[Shiska]

you can login as a user and get a list of their mail, but you can no longer view it. ...shucks.
----------------- ------------ ---- --- - - - -

Re:don't work no mo'

[gr]

Ah.

So that's why I couldn't read admin@hotmail.com's mailer error messages.

;^>

Re:don't work no mo'

[TheHornedOne]

Not true.. what's going on is that there's alrady someone else reading the mailbox that you're going after. Likely, if the owner has logged in this AM, you won't be able to read his/her messages but otherwise it's still open season. This is fscking ridiculous.

CNN's take

[abischof]

Here's CNN's take on this.

Alex Bischoff
---

DING

[drwiii]

Here's my mirror of the exploit

Sorry, Billy. Really.

Re:Web mail

[shogun]

Actually I like POP too, is there an implementation of it out there that uses encrypted passwords?

What are the implications?

[kris]

What are the implications of this regarding the
Microsoft Passport programme? From hotmail.com:

Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!

That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.

Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!

Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?

Re:What are the implications?

[laktar]

Well if they're using this same system, then all the passport sites will have the same URL form and you should be able to get into all of them. Just substitute an IP address.

What I'm thinking is that as M$ starts to offer more services like this, you could really fuck someboy over good by logging in to one of them and changing their password.

-Laktar, a.k.a. Nick Rosen, laktar.dyndns.org


If I Ever Became An Evil Overlord:
45. I will make sure I have a clear understanding of who is responsible for
what in my organization. For example, if my general screws up I will not draw
my weapon, point it at him, say "And here is the price for failure," then
suddenly turn and kill some random underling.
-- Peter's Evil Overlord List, http://www.eviloverlord.com/lists/overlord.html

Re:What are the implications?

[akey]

There's a very good chance that the forged information will be used/accepted by other services. When you log out from Hotmail, you get a screen showing you what services that Passport is logging you out of.

Re:What are the implications?

[spencerogden]

Sure, just move to another MSN site with the links on the page. Anyone can fee free to check my mail or my stock accounts with abandon. They won'y be there much longer.

Spencer

Re:What are the implications?

[mortalcoil]

The implications? For starters, regardless of where the security hole is, NT or Passport or Apache or wherever, hotmail is still a Microsoft-run site, and is the source of a lot of Microsoft propaganda, and considering the high-profile nature of the security hole, this is likely going to be a PR disaster for them.

Some time ago, Microsoft gradually began to trade engineering and software talent for PR and marketing talent, resulting in well-advertised software that sucks. This is, to date, possibly the most high-profile example of Microsoft's shift of priority from programming to propaganda, and hopefully will alert the public at large to a lot of the smaller issues - Outlook, Word, Macro viruses, poor implementation of PPTP, etc. that the Redmond PR dept. slipped under the rug.

CNN says they "tested" it too

[Wansu]

Others have mused about the possibility of the Hotmail lawyers coming after people who exercised this security feature. Well, CNN says they did this so I guess they are in the soup too.

Now a buddy of mine says, "Watch M$ turn this around and say they've fixed the problem by switching to NT!"

Arrrrrgggghhh

MS...

[Wyatt+Earp]

I'll throw this one out.

What are the chances that MS "allowed" this hole to exsist so they could spread FUD about *NIX.

"This just shows the world that a free OS built by a bunch of hackers in thier bedrooms can't compete with an Industry Supported OS like Windows 2000."

How long till something like that comes out of Redmond?

Re:MS...

[witz]

None. That's the dumbest fucking theory I've seen on here in a long time. And I've seen some stupid ones. This hurts MS's reputation, it doesn't help it.

-witz

Slashdot practicing security through obscuity

[Sanity]

Is not giving us the URL in the posting not an example of using security through obscurity?

--

Re:If the Microsoft passport is the problem

[jafac]

FUCK that!

"The number of suckers born each minute doubles every 18 months."

Re:Still working...

[jd]

It seems probable. And, for all the speed of Slashdot, it's improbable that the hole was posted here first.

And, even if the admins of Hotmail don't read Slashdot or other tech news sites, the massive surge in activity, PLUS the massive surge in accesses of mailboxes should have rung alarm bells from Hotmail to Antarctica and back.

If THAT weren't enough, the admins must be aware of a huge increase in the number of people accessing via a single machine, and via a single method.

If that STILL weren't enough, they must have been notified by now that something's going on.

Finally, if complaints, surging activity from a single computer, news everywhere of the hole, and a massive increase in the use of Passport, were not enough to pull the plug, I'm sure journalists read Slashdot and some may have phoned Hotmail for a comment. System cracking is still news, even these days.

Yet, despite all of this, Hotmail still has that security hole wide open. *SIGH* That is astonishing.

Re:Found the link...too late

[jd]

There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.

Other sites allow you the same.

[red_dragon]

There's a bunch of sites that have the same effect. Like http://www.erikaweb.com/misc/hotmail.htm, for example. Just go to AltaVista and search for "hotmail login -host:*.hotmail.com".

It seems like Hotmail doesn't check for the password when you first open the mailbox when the referring page is not in Hotmail's domain. Big hairy bug indeed.

party's over.

[quadra]

looks like they disabled that cgi.

The real loser isn't MS, its users who needed anon

[substrate]

There are a lot of people who were doing illegal things through Hotmail who are potentially under surveilance through this insecurity. I don't really care about them. (I'm not talking about the person who occasionaly forgets that Microsoft Word or Quake 2 or whatever is a commercial product, but more the people who put up a tonne of stuff and use it to generate money whether through banner ads or subscriptions) I am concerned for the people who wanted anonimity for legitimate reasons. Maybe they were anonymously subscribed to sexual abuse survivor mailing lists or online support groups for the differently gendered.

A lot of people are going to state that these people were stupid for relying on a Microsoft service, but where are they supposed to go? It isn't stupidity so much as a lack of education. This is compounded by the people who are technically capable of doing the educating. Too many of them are too busy looking down at the unwashed masses to communicate the options and hazards involved with the various options.

A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile) which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.

There are probably others (I don't use anonymous email myself, I do use services that allow me a perpetual email address for non-critical stuff, like providing head hunters a consistant address)
but the only thing you really hear about are Hotmail or Lycos etc.

Microsoft culture, chaos and flawed security

[acb]

It's not a matter of who owns it; rather, the underlying pattern of lax security that has become a hallmark of Microsoft implementations. This is not the first example; take, for example, Windows' e-mail attachment handling (which allowed the Melissa virus to flourish, over a decade after the Internet Worm should have taught everyone a lesson), ActiveX (which can either be disabled or insecure), and the numerous NT security flaws.

Microsoft have a culture which assumes that networks are controlled and orderly, much like corporate LANs, rather than the chaos of the Internet. This comes up in their assumptions, and their lack of attemption to security. The Microsoft Passport hole is merely the latest example.

Security and platforms

[Oestergaard]

I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.

It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.

Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?

Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.

One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?

We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.

Re:Security and platforms

[Mawbid]

We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.

Well, I haven't dealt with authentication myself, but if I had to, I'd begin by taking a close look at PAM rather than rolling my own.
--

Re:Security and platforms

[BJH]

OK, what he's talking about here is a class of security problems called buffer overflows. Basically, the problem with sprintf is that its output goes to a string - which has a defined length. This string could be a buffer array for data within the program. Thus, if the original data used for the input to the sprintf can be altered by the user (for example, through environment variables or program options), it allows a random user to stuff data in areas of memory past the end of the buffer array. If this buffer array is in a predictable position (as it might well be on the stack), a skilled cracker (or a script kiddy with a ready-made program) would be able to shove hand-tailored data onto the stack, which if executed could be made to give root priveleges to the cracker. The fix is to use snprintf instead (which requires the length of the buffer array as a parameter).

Re:Security and platforms

[Stonehand]

Neither sprintf nor sscanf has an ability to limit how many bytes it reads into, say, a (char*). This means that if you get input from a user (perhaps copying from argv, or the environment variables; or so forth...) and use these routines to copy 'em without checking: you lose.

---
char foo[10];

/* don't do this */
sprintf(foo, getenv("HOME"));
---
for instance, or something to that effect, can copy more than 9 characters (plus NULL) to your fixed-size buffer. If you don't check and HOME is set to a very long string, you might lose *very* badly.

Hence, functions like snprintf, or using field length limits on scanf/sscanf -- but these aren't often used by people who aren't up on paranoid/defensive coding.

Re:Security and platforms

[bscanl]

Solaris7 can turn off execution in the stack.
breaks Java and a few other things.
It can log it too.

Re:Secure Web mail PATENT PENDING

[Dawn+Keyhotie]

Great. Yet another software patent-weilding money grubber. From the HushMail FAQ page:

HushMail implements patent-pending technology known as a "Public Key Cryptosystem with Roaming User Capability." That means that the only people who can read your HushMail are the people that you send it to. It also means that you can access your account from any computer that has a Web browser and Internet access, anywhere in the world! Remember that you can use your HushMail account to send email to anyone on the planet, but to take advantage of our 1024-bit encryption, all parties sending and receiving email must be using HushMail.

So to be useful, you just have to get all of your corresponents to also use HushMail. Right. Forget about all the existing PGP users. And how can you get a patent for something that is already widely available? Why all you have to do is tack 'Roaming User' onto the end of the description and Poof! The software patent fairy grants your wish. Watch out world, I got a patent so I can sue your ass off if I feel like it!

Re:Who do I sue?

[aqua]

And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)

I hope you're not inferring that it's a good idea to pass data through a POP3 server. Not sure if you've encountered this one yet, but POP3 (and most of its kindred) send passwords and mail in the clear, the same way hotmail does. Indeed hotmail would be slightly more secure, since the passwords are likely sent in a POST form, which is mime64-encoded and thus very slightly protected against casual over-shoulder interception. Further, POP is a much more common target for interception since its use is so widespread and the format is quite standardized.

"Secure mail," inasmuch as that can be taken as anything but a contradiction in terms, involves stuff like a secure transmission client, encrypted channels all the way from sender to recipient, storage in encrypted form or on a cryptographic filesystem on a trusted, isolated server, and a secure reception client. At present hardly any such systems exist. The ones that do -- well, they don't run POP3.

The address

[el_nino]

Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.

Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?

Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Re:The address

[el_nino]

Oh well...

http://www.2038.com/hotmail/
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Re:The address

[kevlar]

Why don't you post the URL, since this is a public forum, and you're only sharing public information.

Re:The address

[suraklin]

They did.
No wonder I kept getting "connection refused" from the hotmail server this morning.

And conincidentally..

[drix]

Consider this ironically timed story on the front page of www.zdnet.com:

Microso ft Makes Reading Easier.

Yes. It seems they do.

Re:Hotmail is on Unix...

[The+Creator]

Yeah they just had to increase their hw by ~8000% first(maby?).


LINUX stands for: Linux Inux Nux Ux X

Bye Hotmail.

[Chas]

Just pulled ALL my stuff off hotmail (6 accounts) and notified all hotmailers that I know of the crack. Also fired off a nastygramme to Hotmail about their aircraft-carrier-sized hole in security.

I basically mimiced the first guy who responded to this particular post. "Holy crap!"


Chas - The one, the only.
THANK GOD!!!

A matter of time...

[Chilli]

This is exactly why I would never ever do anything but trivial conversion over something like a hotmail account. Sure, sombody could hack into my box, but a hotmail account is just begging for it.

Chilli

Re:A matter of time...

[Chilli]

Good point!

Chilli

Re:A matter of time...

[The+Fonze]

people say it time and time again, don't send anything in a text message that you don't want the world reading. I'll tell you what, if I had a hotmail account, I'd give everyone that password, better yet anyone who wants to read my mail, reply to this message, and I'll forward you everything. I promise.

Re:A matter of time...

[theaphila]

Actually, I use my web mail account for things i don't want traced back to me. Although I entered my correct sign up info, the security is so lax, i don't think an assertion that mail was actually read by/ sent by me could hold up in court.

Re:Blammo!

[Chilli]

Sure you need good software to make a good system, but in the end it is the administrator who makes the difference. So, at least we know who to blame ;-)

Chilli

Re:Secure Web mail

[rew]

> At least their encryption isn't just XOR-based. :)

Well, in fact many REAL (&safe) encryption algorithms are run in the xor-with-the-plaintext mode. As long as the bitstream that you XOR with is sufficiently unpredictable, that is perfectly safe.

You're thinking about xor-with-a-fixed-string or somethink like that. That's stupid.

You're bashing on XOR for no good reason. Leave XOR out of it.... ;-)

Roger.

Not stolen passwords

[Booker]

Perhaps this is obvious, but this is not just a stolen password list. I changed my password on Hotmail, and the crack URL still happily lets me in.

Nature of the exploit

[bgarrett]

I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).

Remember, Hotmail uses both Solaris and NT in various capacities.

Re:Nature of the exploit

[dirty]

From what I've seen basically Hotmail trusts a certain URL to be accurate w/o doing any verification of the password. This isn't an NT issue or a Solaris issue or any other OS related security hole. It's just bad programming on the part of whoever wrote the offending code. Whether it was MS who messed up or the people who originally wrote hotmail I wish I knew.

Re:Web mail

[JoeF]

Yeah, and have your password transmitted in clear text to your ISP. If you didn't know, this is the biggest drawback of POP3. Use IMAP instead.

Re:psycho fud-flingers!!!

[Mr+Z]

It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.

--Joe
--

HOW IT WORKS.

[Mr+Z]

Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login= username &passwd=eh

In other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.

--Joe
--

Re:HOW IT WORKS.

[Cally]

Hmm, that doesn't seem to work for me. perhaps the Swedish site is adding a cookie which has a value set by a simple XOR of the username or somesuch obvious device.

Re:HOW IT WORKS.

[Asim]

Thanks for the info -- it makes the hack (and the relative ease of it) much clearer.
It's interesting to note that this hack only came about after the Microsoft Passport system was added, so far as I can tell. Sounds like the guys who developed it may not have paid close attention to that CGI 101 class they took . :)

Re:HOW IT WORKS.

[BigDaddyJ]

Aha!

Name: wya-pop.hotmail.com
Address: 207.82.250.251

That might explain a couple of things...

--bdj

Re:HOW IT WORKS.

[DeadSea]

Can sombody do a reverse name lookup on 207.82.250.251 and tell us where it points? I'd do it myself if I weren't behind a nasty firewall.....

Re:HOW IT WORKS.

[Spazmoid]

It looks up to here:
Server: ns.cfw.com
Address: 216.12.0.20

Name: wya-pop.hotmail.com
Address: 207.82.250.251

Web mail

[eponymous+cohort]

This is one reason why I avoid web mail. I prefer pop3 where the mail only sits on the server for a short time, and is then pulled down to my own system.

Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.

A generation's defining moment ...

[mjs]

"Where were you when you heard that Hotmail was cracked?"

Michael

A generation's defining moment ...

[mjs]

"Where were you when you heard that Hotmail had been cracked?"

Michael

Re:Who do I sue?

[Noke]

HOW much does a hotmail account cost you?

It Only Sorta Works...

[Evan+Vetere]

Yeah - logging in has worked fine, the five times I've tried it. The first four times I didn't read anyone's email, because I knew the people; I just picked a username at random and tried to open an email just now...

IE 4.5 isn't allowed on grounds I don't have cookies enabled. Bullshit; I'm using slashdot.

Just tried a sixth - same effect. I can see a listing but not view email. And the same result with Communicator 4.61-Mac.

Hmmmm....

Re:It Only Sorta Works...

[doce]

I encountered similar problems... some of the time. Some users I encountered this error. Others I did not. The exact error was in the vein of a "permission denied" error and looked as though it may have been caused by simultaneous logons (possible), or system overload (unlikely).

I have a hotmail account that I used when I worked at an ISP. We used it to test whether our mail filters were config'd properly. I suspect they still use it there, as the account is still there, though (i just saw) it has about 8 months of cumulative porn spam in it. I was able to read every one of them....

Re:Still working...

[Cally]

So the question is, just how long will it be before Hotmail admins wake up and pull everything down ?

• original /. post was at August 30, 09:23 AM EDT;
• At 3:50pm UK, ie. 9:55am EDT the exploit still works;
• Only *one* other media story AFAIK -- on The Register -- sorta fun to see who picks it up next ...

BTW it's a public holiday in the UK, so double plus good to the Register.

OTOH, 'there but for the grace of god'. How many of the sysadmins here are > 95% sure they've covered every hole & patched every exploit on every one of their systems ?

Re:Still working...

[Cally]

OK, so two minutes later (4pm BST, 10am EDT) it's blocked at last -- approx 40 mins from the first /. post. Anyone know what time news leaked before that ?

Re:At last, a credible story to scare my boss ...

[Cally]

I absolutely agree. I do seem to have made some progress in increasing awareness; and I've decided to leave anyway, for (partly ;) ) unrelated reasons ...

At last, a credible story to scare my boss ...

[Cally]

Trust == reputation == value to an operation like Hotmail, and this is going to make them a laughing stock.

In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.

Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...

Re:At last, a credible story to scare my boss ...

[wfberg]

Does Windows2000 EFS come with source?

If not, how can you tell it does anything different than, say, using your (hashed) username as a password to encrypt your files?

Now, if people had the sourcecode for hotmail.com, this sploit would have surfaced - and died - a lot sooner.. Before it went into a stable release, public website thingy, for example..

--

how interesting...

[cswiii]

..that it was almost exactly a year ago that this exploit was discovered...

Re:how interesting...

[Enoch+Root]

Nope. That's not the same security hole. In this case, it's a backdoor, because the Open Inbox doesn't check for password, which is downright silly. That's the kind of thing *I* would have thought of if I were designing a Webmail service. Silly, silly M$.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Damn, I knew this a few weeks ago...

[clifyt]

I came upon this a few weeks ago while working on a simple to use menuing option for the administrators at my website. There are about 10 of us covering different aspects and we all take responisibilities answering emails and decided to keep the hotmail account one of us had set up.

I set up the 'click here to check email' on our menu, with all the form filled out as it was on the M$ site and it worked...I then noticed that it didn't require the password, but I thought that was because it had been cached some how. I tried it again from my laptop later that night (after forgetting to fix it) and it worked...hmmm...the next day I tried it again and the login proceedure no longer would let me access it even once I had the password entered in the hidden form...it'd only take me to the front login page.

Maybe this was just a temporary whole...shit I have kept holes wide open in attempts to keep my machines running at times while I'm working on something. To my former boss, there ain't nothing worse than a downed machine...he'd even accept hackers broke the system, but it was running than downing it. Lucky my latest one, cares more about protecting valuable information than someone being inconvienced...

clif

Probably a bug in their ftpd

[mattc]

There is some new exploit for wu-ftpd, proftpd, BeroFTPd going around.. I just got news of it from security mailing lists this morning. Basically, if you are using wu-ftp version prior to 2.5.0 you'd better upgrade!! I am not sure what versions of proftpd are vulnerable.. I just disabled the copy running on my home machine.

By Design? since MSN Mess hotmail access disabled

[just+someone]

From a ZDNet Message:

MSN Messenger Service disabled?

Since Microsoft has 'fixed' the security hole earlier this morning, my MSN Messenger service will no longer all me to directly login to my Hotmail Inbox. That's the only reason I even use the shitty service...

Coincidence? I think not.

Any MSN Mess users confirm this?

Re:By Design? since MSN Mess hotmail access disabl

[just+someone]

When trying to view a Hotmail inbox of MSN Messenger you get this:

Forbidden You don't have permission to access /cgi-bin/start on this server.

It's either something on Hotmail's end or something that will require an update for Messenger and how
it connects to Hotmail.

anon.penet.fi -- the real story

[DHartung]

substrate wrote:
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile)

anon.penet.fi, yes. Read the story of its demise.

Key details not found there (unless you poke around some) are that the court case involved anonymous e-mail sent by a critic of the Church of Scientology, a lawsuit brought by Scientologists in Finland against Julf, and the subpoena served on Julf by reluctant Finnish police. Julf had simply hoped this day would never arrive; when it did, somewhat more quickly than he had expected, he was caught off-guard. Since he realized that he did not have the resources to protect the users of the service, he closed it.

which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.

Julf did a great job with anon.penet.fi, but let's not oversell it. The anon.penet.fi did nothing more spectacular than remail your text with its headers. There were instances of the service being spoofed, accidentally revealing addresses, and being abused by someone with prior (social) knowledge of the real e-mail address associated with an anon.penet.fi address. And in the end, it all boiled down to Julf: did you trust him? He was honorable, but that wasn't guaranteed.

Nevertheless, many thousands used the service mainly because it was the easiest anonymizer to use. And yes, as many security geeks pointed out endlessly, the ease of use made it more vulnerable than other systems.

Re:CNN is BSing (not really)

[DHartung]

Enoch Root (root@eruditorum.org) wrote:
The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot. [snip]

• 
  Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."
  

Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of /.ers. Besides, they don't mention the URL; how the hell could the CNN readers find it?

You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.

WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog. Fortunately ZDNet is reporting that "a simple HTML script" (long way to say "URL") could also thread the security needle.

Re:Isn't ANYBODY the least bit worried?!

[DHartung]

miyax writes:
If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service.

Uh, actually, no. That should read "to any badly-programmed web-mail service". See, they didn't invent some gosh-darn super-duper smart-agent neural-net jacked-into-the-matrix hack; they found out that Hotmail hadn't locked all the doors, that's all.

(Sadly, that's pretty much the case with ANY system cracking.)

Crack Famous Email

[InitZero]

Forget the security implications for a moment. Why not start cracking the email accounts for fun? For example, there are a number of Congressmen who use Hotmail accounts. And folks in the media (think: anchors). Heck, even Monica Lewinsky used Hotmail, right? (Try: mlewinsky.) There could be a lot of fun had here before Hotmail fills the hole. (Which I'm surprised they haven't done yet.)

Re:what is obviously being overlooked...by you

[Todd+Knarr]

No, Microsoft didn't start Hotmail. However, Microsoft did start the Passport integration. In the course of doing this, they modified CGI scripts and failed to think through the security implications of what they were doing. Which is par for the course for MS. End result: because of a stupid error by MS, large numbers of people had e-mail compromised. In any competent setup, this error should be caught before going into production. In most Unix shops, it would get caught. Around MS, failure to catch things like this is endemic, which is why I don't trust their products from a security standpoint. I'm just happy I don't need Hotmail to get Web-based e-mail.

Holy cow

[Dakota]

This is just way too funny.

Re:Holy cow

[Sonic-B-PHuCT]

Hotmail has the ability to check other accounts via pop3. I couldn't verify the hole, so I wonder if any of those accounts were comprimised also.

I ask because when I'm behind a firewall at a customer site, I have to use hotmail to get to my personal e-mail that's not on hotmail.

Re:Holy cow

[Moofie]

You might consider mailstart.com or mail.yahoo.com or mailexcite.com or ureach.com or any one of the bazillion other web POP clients. They can't ALL suck.

Re:Holy cow

[Sun+Tzu]

but made less funny by the fact that they don't run hotmail on MS-ware, as of the last I heard.
Yipes!

Re:Holy cow

[bendawg]

I think it is MS stuff. Hotmail is owned by Microsoft isn't it? It appears that way, by the big MSN Hotmail thing appearing on the main page.
I've always stuck to Rocketmail...Owned by Yahoo.

Hotmail is on Unix

[webslacker]

See for yourself.

Re:Hotmail is on Unix

[jjackson]

From the stories that I have heard M$ tried to run hotmail on NT when they first acquired it and it failed miserably. NT couldn't even come close to scaling large enough to handle HotMail traffic.

Yeah... hotmail runs on Unix. BUT, this is not the issue. It would not matter if it had been running on Apache, FastTrack, IIS, etc. The security flaw was in the code for site itself.

This in no way puts a bad mark on Unix (namely FreeBSD) or Apache. Instead it makes the guys that are in charge of security for HotMail at M$ look like fools.

Had HotMail been on IIS (NT), this would not be the first major loophole that we would have heard about.

Whoops

[webslacker]

I hope nobody else thought I was accusing FreeBSD of being insecure! It just sounded like Bendawg thought Hotmail was running on top of Windows. Er, maybe not. Whatever. Bottom line is, MS can make anything insecure.

Re:Nothing wrong with web freemailers...

[Bartmoss]

Secure web-based mailer?
Easy.
Put MindTerm (java-based SSH) on a web page on your server, log in, and use pine 8-)

This sounds reasonably secure to me. :)

This is bad...

[Bartmoss]

Well, I saw it coming. I was never a friend of web based freemailers, anyway, especially not hotmail. However, it would be interesting to know more details on this hack. Is it just a hotmail problem? What about other freemailers such as yahoo? is there some official statement by hotmail? Inquiring minds would like to know.

Re:Wow, this is pathetic (was Re:TRY THIS URL !!!)

[codejnki]

Well I tried the URL and it didn't work. But I'm not surprised I'm getting to this rather late. What makes me laugh though is that in the past months they have been screwing with Hotmail so much supposedly making it more secure.

Who ever thought up that woderful scheme of routing through a secure server should be drug out in to the street and shot. Now I can't check my hotmail with lynx.
----
"War doesn't determine who's right, just who's left"

psycho fud-flingers!!!

[UM_Maverick]

First of all, Hotmail is not run on NT, and does not use ASP. It is run on FreeBSD/apache (see netcraft for details). They tried to migrated it to NT when they bought it, but NT couldn't handle it, so they switched back.
Second of all...well, there is no second of all, but I wanted to make sure everyone realized this is NOT an NT problem.

Re:psycho fud-flingers!!!

[Zoltar]

It doesn't really matter what system it's running on...a system is only as secure as the people who administrate it...of course some are better than others :)

I would say we can lay full blame on the boys from Redmond until we hear otherwise.

Re:psycho fud-flingers!!!

[My_Favorite_Anonymou]

Well maybe they can blame it on the solary/freeBSD hotmail's using and announce plan to move to more secure software platform a.k.a. Windows 2000.

CY

Re:psycho fud-flingers!!!

[jmoo]

I get an error about cookies not existing for the e-mail message. I didn't have this problem until just a few minutes ago. Guess MS is trying something. Still a huge security hole.

Re:psycho fud-flingers!!!

[cheese63]

i could. i logged on to my brother's account and read his messages... it's pretty bad.

Hotmail Exploit

[NighthawkFoo]

I just went into my g/f's account with no problem - it looks like the hole is still open!
------------------------------------------- --------------

"We are but packets in the internet of life."

CNN Coverage

[Serk]

Whoah. This is now the lead story over at CNN Interactive... (HTTP://www.cnn.com)

The swedish guy...

[tweek]

So how long will it take ms to go hunt down the guy who owns the domain? Wonder if his server got cracked and it was posted there?

Re:The real loser isn't MS, its users who needed a

[tweek]

yeah i remember that story. anon.penet.fi was shut down by the finish government i think. That was a sad day. Alot of the people on thier were survivors of sexual abuse and what not.

More info ?

[Raphael]

I wonder if the information about the compromised accounts will ever be mentioned on the HotMail pages...

In the meantime, does anyone have more details about this? Specifically, I would like to know if the crackers stole a list of passwords or if they found a way to enter the site without using a password. In the former case, you would only have to change your password to be safe. In the latter case, you could hope that the HotMail staff would patch the hole quickly.

Re:More info ?

[big-dog]

I believe its an actual hotmail hole. I saw the site and actually checked 2 of my hotmail accounts with just putting in my account name. THATS IT! I say Microsoft hurry up and get patchin!

Re:More info ?

[sevenseven]

yeah.. i guess the only safe thing to do is to hurry and clean up your account and make sure you do not have anything valuable there...

Microsoft spins and my stomach turns

[Neurowiz]

I quote:
"Once we were notified we began investigating," the spokesperson said. "We found it was possible
for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy."

http://www.news.com/News/Item/0,4,41 069,00.html

Hrm.. "advanced Web development languages".. URLs that map to backdoors.. uh.. OK. Hey.. I know HTML.. does that mean I'm super advanced? Maybe I can apply to Mickeysoft and get a nice job... fixing those highly advanced URL type of problems.

Sheesh.. they can't even come up with good spin. C'mon, I'm thinking alien attacks, Bill gone mad, Linux/BSD users invade Redmond and take over the place... ANYTHING but this sort of crap.
--

This explains why Passport is so slow and broken.

[cpeterso]

I use two MSN sites that use Microsoft Passport, Hotmail and MSN Investor. They refuse to cooperate with Passport! Investor has a feature to store your portfolio on a centalized server so you can view it from any web browser (after authentication), but that portfolio never responds or it scrambles my portfolio data. When I then jump to Hotmail, it forgets my password (which I asked it to remember on my home computer). Damn this software is stinky..

Re:Not the first time

[Black+Parrot]

Wired is reporting that the same thing happened 6 months ago, and it was fixed without getting any media attention. The cr/hacker group that reported this one was supposedly publicizing it because MS only fixes things right when it lands on the front page news, and they wanted to call attention to that problem.

Wired also reports speculation that it was a deliberate backdoor that was supposed to be secured by obscurity.

Who knows? But if I had a hotmail account I'd assume that people had been reading my mail (and doing Bog knows what else) for months.

Hotmail playing it cool

[stuntpope]

Here's what Hotmail has to say about the crack now:

Dear Valued Customer,

You may be aware from published reports that today MSN Hotmail experienced service issues that have generated questions about security.

Microsoft was notified early Monday morning (August 30, 1999) of a potential security vulnerability that could enable unauthorized access to Hotmail servers.

Typical underplaying. Plus, it's confusing - it states the problem occured "today"..well, I'm reading it on Tuesday. The typical non-techie reader of that might read that and think "huh?" and continue on, business as usual. He/she might think twice about using Hotmail if their public announcement stated,

"For some time, Hotmail accounts were open to anyone possessing knowledge of a hack that was widely distributed on the Internet. People with this knowledge, which was fairly simple, could read your email, delete it, and/or send email impersonating you. We don't know if any of this happened to you, but on Monday, after this exploit was featured on several news sites, we kept Hotmail up for hours while probably millions of people roamed through the Hotmail service, gaining unauthorized access to countless accounts. Cross your fingers. Thank you, and we hope you continue to enjoy our superior service."

Potential security vulnerability indeed.

Fun Things To Try...

[the_tsi]

The obvious first thing to do would be to suck a couple million blocks from the leaders on distributed.net... look for people using hotmail addresses, send them their password, read it, then assign their keys to another address. Now, this could certainly help Slashdot catch up with Guy Kawasaki and his playmates, but it might be a better way to get one's own participation in jeapordy.

-Chris

Re:Isn't ANYBODY the least bit worried?!

[Mike+A.]

And I suppose you've never locked your keys in your car before?

Re:Isn't ANYBODY the least bit worried?!

[Mike+A.]

I feel I should amplify.

If you have ever locked your keys in your car, or left the headlights on while you went shopping, or nuked something in the microwave and then forgot about it, this could happen to you. I don't mean to downplay the severity of this, it's a serious bug with significantly negative consequences, but the only prerequisite to making this sort of bug is to suffer from a temporary case of sheer absent-mindedness.

Perhaps a better analogy, come to think of it, is the flawed mirror of the Hubble telescope. As I remember, that was also caused by a very simple but (as it turned out) very costly blunder.

Re:The real loser isn't MS, its users who needed a

[Siege]

There may have been a lot of survivors who used it, but I was also once sent flame-mail via the service. Of course I suggested that someone who dared insult me should do it to my face, which amazingly stopped that dead in its tracks.

Still working...

[RPoet]

It's still working... I can't believe something like this is possible - and it's not even /.'ed :)

Why don't MS just block requests from the referring host in question? How hard can it be?

Re:Still working...

[Lasse]

How about pulling the plug on all the machines...
its insane to keep the system running with
this kind of security hole!

I just wonder how long this has been going on?
I mean the guys who cracked it probobly played
with it for a couple of days atleast before
it leaked out?

/Lasse

Re:Still working...

[[TaMRieL]]

I haven't tried it myself (I'd be screwed with the IP I have now - too sensitive), but my friend, a Hotmail employee, reports that they allow ~5 moves with IP LOGGING ON, and sending mail from there will never actually send ... just go on to the bottom of your log...

Any links?

[mwillis]

Is this really true? Can somebody provide a news link for any stories? I don't think posting a link to the h4x0r www entry page is a good idea, though.

Hotmail Finally Taken Down (I Think)

[Danchez]

Could be just my connection, but I could not hit any of the hotmail servers.

About time they got around to fixing it.

Re:Hotmail Finally Taken Down (I Think)

[Danchez]

Well, to correct my self, when I posted the above the main site was down, but the back door still open.

Then around 10:45 the back door was finally taken down. (cgi access blocked)

Main entry now blocked, but backdoor still works!

[.@.]

I informed my users of the backdoor this morning, and told them to delete all private mail from their hotmail accounts.

One of the users just told me that when trying to log in from the www.hotmail.com page, they're getting "connection refused". I just checked, and it's still possible to get in via the backdoor.

It would appear that now, not only is the backdoor still open, but it's going to be impossible for legitimate users to clean out their mailboxes.

MS should just shut the site down until they can get this sorted.

Re:Hotmail is DOWN!!!!!

[GreedyFly]

kinda brings a tear to your eye doesnt it.

Nothing wrong with web freemailers...

[nwalker]

...just most current web freemailers. Web-based email can be really convenient. With more and more web-only free public terminals around, it's becoming a more standard and easier way to read your email than telnet.

What's needed is a good, free, SECURE web-based freemail. There have been a number of such attempts, such as HushMail, etc. - but all are pretty lacking. A good overview of "secure" web-based mailers can be found at Counterpa ne.

It's time for people to start rejecting inherently insecure solutions.

Yes. And changing your password doesn't work...

[GoodPint]

I've gone to the site and viewed two different hotmail accounts (mine and my brother's). My brother has _never_ used this machine to read his Hotmail (it's at work and he's never even been in the building!), so it's not based on cookies etc.

Changing your password doesn't protect you either.
I've tried it.

:o(

idea?

[TheFamousMrEd]

could someone write a perl script to break in there and start deleting accounts? i bet that the script could get rid of 2 or 3 million accounts before anyone caught on...

Blammo!

[Masker]

Microsoft with egg all over its collective face again. Heh heh heh. I thought, though, that hotmail was running on a *BSD box? I had heard that WinNT couldn't handle the load of hotmail, so they had to use *BSD (Don't know which varient). Can anyone clarify this? If it was NT, all the better.....

Re:Blammo!

[egon]

Unless I'm mistaken (a very distinct possibility) it is running off of Slowlaris boxen.

I would suspect that the hack was not in the OS itself, but rather the hotmail software itself.

Re:Blammo!

[bifrost]

Sorry, as an MSN employee, I must clear this up.
Hotmail started out with FreeBSD as the front door and Solaris as the backend. There are about 2000-3000 machines all running FreeBSD at Hotmail.
MS tried to use MS-Proxy in front of the FreeBSD boxes, and ended up dying pretty badly. Hotmail is pushing the envelope on the capabilities of the hardwares and OS'es it runs, so I don't think you'll see NT there in the next 2-3 years.
What was cracked was the Passport authentication scheme.

Re:Blammo!

[bifrost]

I don't think Exchange can handle 50M users, much less all of them trying to login at the same time like Hotmail can. In fact my Exchange server can barely handle just having 100 users, and its a Quad Xeon-450... Its always going down, and its mail database system always gets screwed up when the damn thing crashes. Having mail in an internal database is pretty lame, I could understand if they used SQL-Server for the DB, but they don't.

Re:Blammo!

[excalibur]

Correction... Hotmail is running Solaris on Intel architecture machines (I won't say boxes cause they aren't... all hail the Hotmail server farm) now this may have already been said but i'm to lazy to read through all the postings... P.S. i know the above first hand (ie. i seen it)

Re:Blammo!

[NtG]

Neither could Solaris.. that is why the hotmail server architecture is distributed.
There's a large chance that this is true.. MS would love for it to run on a system they created (and understand).. and it would be great advertising.

Re:Blammo!

[reflector]

I looked it up on www.netcraft.com.
The webserver, at least, is:

www.hotmail.com

www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD

hotmail offline?

[Ivo]

Hmm..

hotmail's cgi-scripts seem to be taken down.. hope they manage to fix the bug soon.

Greetings,
Ivo

Found the link...too late

[PeterMiller]

The crack stopped working a few minutes ago. Unless hotmail is /.'ed

Re:Found the link...too late

[My_Favorite_Anonymou]

Do you really think they don't know about it all alone, the fact that it works indicates that they can't fix the backdoor. I "log" on my own account sent some warning mail and change the password, but I can't read mail when I "log" on to another account, (the account is my full name, just want to know the fellow that shares my name.:)

CY

Re:Found the link...too late

[anti-hero]

I emailed them about it.. as admin@hotmail.com so that should grab there attention ;)

-- Antiher0

no, it was more like "NOW DAMIT!"

[Cptn+Proton]

Then they immediately issued a press release saying that the security hole in hotmail had been fixed....

Actully, maybe they had the lines hardwired, so they had to use wirecutters.......

It's sad, but no parchute for somebody.

[Cptn+Proton]

They're just gonna kick there butt right out of the plane and then toss them a parachute.

Somebody has to catch fire for this. My guess some middle-management blokes. There are no decent coders around to fire or else this probably wouldn't have hapenned.

Re:Secure Web mail PATENT PENDING

[jonathanclark]

The idea is pretty obvious if you ask me. I thought about doing it years ago, but IT'S ILLEGAL in the USA. They are located in Austin Texas, so my guess is that it won't be long before uncle sam shuts them down.

Re:Secure Web mail PATENT PENDING

[jonathanclark]

I did check out your web site, and I did not see any indication of this. Your domain record list an Austin Texas address and your FAQ makes no mention of legalities. I would think this is a fact you would want to make well know. I even wrote one of the email addresses on your web site about this particular question and recieved no reply.

Even with the precautions you have taken, I see you running into trouble with the law if you become popular. Make sure you put some money aside for the lawyers.

cnn.com message board: what's a hacker?

[harmonica]

Someone please go to cnn.com and explain to those who put up the message board HOW DO YOU DEFINE A HACKER? what a hacker is. I don't have the strength anymore... Sigh! Hacker != cracker, how difficult can this possibly be?

Re:cnn.com message board: what's a hacker?

[QuantumG]

another one.

Re:I wonder why...

[borkbork]

no kidding...
lets face it - security holes pop up on all platforms, *nix, windows, whatever. the key is how a company responds to the holes and m$ doesn't seem to have learned that lesson. they figure they can keep everyone in the dark for as long as possible.
the same thing happened with the big iis hack a couple of months ago

Class-action suit?

[The+Welcome+Rain]

It took Hotmail a good long time to respond to this crack, which has been up since Sunday morning proximo. During that time, much email has been illicitly read, some illicitly sent, a few DejaNews identities probably pirated.

If the users of Hotmail wanted to try their hand at a class-action suit, they might be able to pull it off. Yes, Hotmail is free, but they generate income based upon the number of users; therefore, their userbase is responsible for their income. They can't ask for their money back, but they can probably collect damages.

Something for an enterprising attorney to investigate!

--

Isn't ANYBODY the least bit worried?!

[miyax]

If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service. While I think this is funny, that's only because I don't use Hotmail! But I do use web-based e-mail (not telling which one so you don't get any ideas : ) and this scares the shit out of me...
miyax

Re:Isn't ANYBODY the least bit worried?!

[Enoch+Root]

But I do use web-based e-mail (not telling which one so you don't get any ideas : ) and this scares the shit out of me...

*looks up your email in the message header*

Oh, would that be, I dunno, Netscape.net?

*begins cracking* :-)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re:Isn't ANYBODY the least bit worried?!

[swonkdog]

no, not really. if i have something that's extremely sensitive that needs to be sent somewhere it get's beamed directly through either modem to modem (security is more important than cost), encryption, or, if time doesn't really matter all that much, an insured bubble wrapped zip disk sent via snail mail does rather well.

btw- i'm assuming that you don't want anyone to know that you use netscape for your webmail.

Re:Isn't ANYBODY the least bit worried?!

[swonkdog]

no, not really. if i have something that's extremely sensitive that needs to be sent somewhere it gets beamed directly through either modem to modem (security is more important than cost), encrypted email, or, if time doesn't really matter all that much, an insured bubble wrapped zip disk sent via snail mail does rather well.

btw- i'm assuming that you don't want anyone to know that you use netscape for your webmail.

If the Microsoft passport is the problem

[bug_hunter]

I heard somewhere that the Microsoft passport system is what caused the security leak. Here's some PR at the passport site

"Gone are the days when you had to remember a member name and password for every site you visited. With your free Microsoft® Passport, you select just one member name and password to use on a fast-growing number of major sites!"

Currently their working with a slight variation of the above plan but it's still ingenious, by getting rid of passwords all together it is darn easy for you to log on.

Front Door Closed? Back Door Still OPEN!

[asa]

Looks like MS HotMail closed the front door but left the back door open. If this is the case, its a greater disservice to users that the lame security was in the first place. Now legitimate users will have to use the hack to protect themselves.

Re:A major design point.

[zmooc]

better names than you picked: better_sprintf(), better_sscanf() and better_gets()

When did they switch to Passport?

[SpinyNorman]

According to c|net's story, the original exploit web page claims to have been was written in June 1998!!!

There's also a great spin quote from Microsoft:

"Once we were notified we began investigating," the spokesperson said. "We found it was possible for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy.

Wrong. It's real.

[aenea]

I just went to the mirror page listed above and put in an account I use when posting on Usenet and got the usual whole page of spam messages. Then I went back in through the portal nad got the same spam messages.

Pretty clever fake, that is.

blame in on Unix

[Not+A+Nerd]

Now let us watch the spinmeisters at the MSFT marketing department blame it on Apache/Unix. I can already hear them now, "Well, hotmail was implemented on Unix, using Apache, and if it would have been on an NT box with IIS, this would have NEVER happened! It's the fault of those open source programmers who don't know how to write secure code!"

Hotmail panic!

[Stavr0]

http://www.hotmail.com
'10061 connection refused'

"Oh fsck! What do we do ???"
"Pull the plug!!!"
"You want me to--"
"NOW!!!"
YANK!
---

CNN STORY!

[Stavr0]

Wow! It just blew right to the front page!!!
---

I wonder why...

[tlight]

Hotmail doesn't disconnect their service like eh.... right now seems a good time! I mean... this seems like the sensible thing to do now...

holy crap indeem

[My_Favorite_Anonymou]

I have move my primary accound a year ago, but I still have 10~ mailing list accound on it. (it was the fastest at the time.) At least you got to change the password to something else no-resamble your other password.

CY

the embrace extend of "FDU"

[My_Favorite_Anonymou]

You can't "FUD" your own product. Boy is this word over abused or what. Even Microsofie AC astroturfer and Dvorak start fashioning the word. :)


CY

Re:the embrace extend of "FDU"

[fwr]

I think they meant that MS is using FUD to >promote their own product. Like, look here what can happen if you don't use MS Passport!

This is what happened...

[Trojan]

At first there were only the webpages with the script to let you in. Then people mentioned that all you have to do is type in the URL with a bogus password field (note the: "bounced directly into a user's mailbox"). It's all the same hole. And it's fixed now.

It shows that CNN is reading Slashdot, though :)
(and not understanding all of it).

If you want to try it out...

[ebcdic]

...without actually looking at a real person's mail, just use one of those addresses you get spam from. pplegal for example - it's full of bounced spam, of course.

Re:If you want to try it out...

[QuantumG]

I'd cover your arse on the legality factor here. Microsoft has been known to sue for less.

Who do I sue?

[chazR]

If I had a Hotmail account (which I don't)

And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)

And I was able to prove financial loss through this breach (which will almost certainly be the case for someone)

Who do I sue?


There is a place in this world for lawyers. But then there's a place for fungus too.

M$ says it's fixed, bring on the FUD

[spoon42]

from the ABCnews.com article

A Microsoft spokesperson today confirmed the hole and said the company has fixed it. "Once we were notified we began investigating," the spokesperson said. "We found it was possible for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy.

just to be sure, I checked an account (mine, which I rarely use because I never really trusted M$ to be able to do this sort of thing competently) and lo and behold, "Error 403: Forbidden" (they turned off the permissions for /cgi-bin/start. I'm no expert, but I'm guessing this is only a quick fix.)

but I just love the quote. since when does changing the cgi queries in a URL involve "specific knowledge of advanced Web development technologies"? good ole' Microsoft. at least this time, they actually admitted the problem even existed within a reasonable amount of time.

whatever, just had to get that off my mind. :)

tabloids first

[Hobbex]

This was the headline of a tabloid here in Sweden this morning. Though at the time I assumed it was just more Internet FUD. Could it be that we are finally seeing public awareness to network security??? Hopefully we can smudge Microsoft over this story in in the popular press.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

My Goodness

[xtype]

I wish to God that CmdrTaco did not post this.
I have been having fun reading my friends mail
and what not (hehe.. not really) for a while.
Then it is on /. and in turn everyone knows
about it. So of course they close it up.
Too bad we could not have kept this one silent.

cracked no more!

[Josh+Picker]

(this comment will probably seem redundant, but) it looks like Microsoft has finally taken care of the problem, albeit temporarily. Hotmail's main address is down and the server was obviously instructed not to let anyone in.

it really was fun while it lasted. i tried names at random (bob, billgates, jane). i thought about checking my friends account, but that just seemed downright wrong.

Re:Quit while you're ahead.

[The_Jazzman]

I'm no lawyer, but is typing in an URL illegal ? I'm probably wrong, but cracking passwords and the like *is* illegal, this is just typing an URL... maybe I'm far too optimistic.

changed it a little

[The_Jazzman]

Well, the following URL *nearly* works... just complains a bit about cookies...

So, we now know MS's security policy... if in doubt, change the filename...

http://wya-pop.hotmail.com/cgi-bin/HoTMaiL?curmb ox=ACTIVE&js=no&login=USERNAME&passwd=aaa

URL of a crack? no need

[Speef]

here's the sad part:
http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=USERNAME&passwd=eh

what do you do? replace USERNAME with the username of the hotmail user wanted.... now THAT is some killer security... that is such a giant hole it is not even funny.

This is sad.

[Speef]

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=USERNAME&passwd=eh

replace username with the name of the account you would like to see. For some reason some accounts do not work as well as others, they will complain about cookies or an intrusion... 90% work great though.

Sad sad sad

Re:Has anyone tried the crack and got it to work?

[tak+amalak]

Works fine for me. :) This is great...but evil at the same time.

--
My girlfreind gets upset when I check out other chicks.

Offtopic

[Twisted]

Where does your sig come from ? Have been looking for the words to that ?drinking? song since I first heard it a while ago... What band? title? other words?
:-)

Re:Still working... NO IT'S NOT!

[bbeaton]

To add insult to injury, looks like a Microsnot lover got at the site!

Crack page taken off

[Enoch+Root]

If you go to the crack page now, all it shows is a message reading, "microsoft rules". I guess somebody came down on their asses, or else they chickened out.

However, the analysis provided by many people on here is correct. Using the URL:

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=UserID&passwd=eh

still works, and I'm curious to see how long it will take M$ to patch the hole up. Given M$'s security history, they seem to think a security hole is patched if no one knows about it.

Anyone wants to start a pool to determine how long it will be before it's fixed?

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re:Quit while you're ahead.

[Enoch+Root]

That may not be the case. Hotmail is back up, so I'm wondering... Did we just /. Hotmail itself?

At any rate, I'm not sure it's illegal to type in a URL? Like someone pointed out, what if you're just testing the integrity of your own mailbox? I only checked friends' accounts, after getting their permission.

Sides, I'd like to see Microsoft sue the whole of the Slashdot readership!

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re:Secure Web mail

[Enoch+Root]

You're bashing on XOR for no good reason. Leave XOR out of it.... ;-)

Well, shesh, my apologies to the XOR fans out there... :-)

I was indeed thinking of those companies that call XOR'ing the plaintext with a fixed string "secure encryption".

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

CNN is BSing

[Enoch+Root]

The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot.

For instance:

Web posted at: 12:40 p.m. EDT (1640 GMT)

(...)

Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."

Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of /.ers. Besides, they don't mention the URL; how the hell could the CNN readers find it? It was posted here on /., though.

Funny, seems we helped Microsoft this morning by forcing them to realise they were in trouble, and now CNN is taking the responsibility!

I think Rob and Hemos should sue!!!

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re:CNN is BSing (not really)

[Enoch+Root]

You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.

Oh. Yeah, that makes sense. I still think whoever stumbled upon this at CNN was reading it right off Slashdot.

WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog.

I know, and I agree; it's irritating. The crux of the matter is, the bug was there in plain sight, but it didn't come to attention before. It's easy to go through a normal Webmail usage routine, and try to see if any URL can be validated without password.

The backdoor, as it is, wouldn't be such a big deal if it were an advance programming technique. It's the simplicity of it that's a little boggling, and it may be easier to criticise than to actually do it, but this sort of things would be foremost on my mind when developping a Web-based mail service. It's basic stuff: you want no URL to be valid when it deals with private information if there is no password validation taking place.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Secure Web mail

[Enoch+Root]

I find it amusing that it would come to this. Hotmail keeps saying in TV ads that they're "perfectly secure and private" because they prompt you for a PASSWORD when you try to access your mailbox. Whatever means was used to crack Hotmail, I think it's a good thing. It will make people realise a system is not secure because the company hosting it says so.

This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)

On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail for Email with a real security. At least their encryption isn't just XOR-based. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re: Secure Web mail

[NixNewbie]

I've known 14 year-old female hackers

Hope you didn't know 'em in the biblical sense. Heh heh heh. Sorry, I know that was dumb but I couldn't resist.

Objectivity thrown out the window..

[Laner]

Oh yes, simply because Microsoft owns Hotmail, that is the only reason for the security hole. I'm sure there's NEVER been a Linux server with security problems (yeah, right)

CNN Headlines !

[gupg]

Its been on the headlines of CNN all morning cnn.com It seems the bug has been reopened after Hotmail "fixed" it.

I think there is a bigger issue we must consider here - namely, is there a system hackers can't crack if they turn against it - the only reason Linux sites have not been attacked so far is because alot of the hackers are on the side of the "good" forces - namely unix in general and want to see dark side to die.

But we may start seeing alot of unix based sites being cracked when these people turn their attention to them.

This whole mess has nothing to do with Microsoft - its hotmail running on BSD unix !!! Just another company with 40 million users .....

Spin City

[Darksky]

I wonder how much money Microsoft has spent in the last couple of months on damage control? Covering up the Linux PPC/windoze 2000 fiasco, keeping Redhat's stunning debut from being a top story, and now this Hotmail thing... If we hear anything about it at all, I can see the news clip now,"Hotmail.com was ruthlessly hacked today by renegade Linux users (believed to be associated with the renegade web site slashdot.org). Only lighting quick responses my Microsoft (and particularly Bill Gates himself) prevented a major security brech for millions of users."

please, this is starting to annoy me.


-theres only one everything

Oh fuck..

[prodeje]

This is serious.. I have no idea why they haven't pull the fucking plug on the box. I'd glad that I never had any cc's on there.

This thing actually works..
...

This may be bigger than just email

[junster]

This passport problem could run a lot deeper than just email. MS's new version of moneycentral.msn.com requires that you have a passport account. This service allows you to track your stocks via a nice GUI. It also has the ability to store this information on MS's servers so that you can access the information from any computer. I don't do it that way.. but I am sure that many people do. Oh and anybody remember MS wallet? I beleive that the next version is supposed to use this wonderful device called MS Passport.

POP3 is better

[jflynn]

POP3 is a little safer simply because normally the user downloads mail and it's deleted from the server. Attacking the server can only compromise mails still undownloaded.

Webmail, you can often see the entire history of mails received by the all the accounts on the web server. That makes an exploit more damaging.

Neither is a secure channel, for sure.

Jim

Well that was enlightening

[Party+Chief]

So I decide to check my dear colleague's hotmail account through the cracked link and bingo - plenty plenty plenty confidential info forwarded from his work address as he is on vacation.

Fsck, this is serious.

I see the cgi prog is no longer at the 2038 URL :->

Quit while you're ahead.

[Macphisto]

Logging in now is a BAD idea.

Microsoft is obviously aware of the problem, and their lawyers will hunt you to the end of the earth.. nobody can get into Hotmail except for those who hack in. This is an *easy* way to keep track of IP's that break in.

It's too late for me but maybe not for you..

Re:Quit while you're ahead.

[Macphisto]

> I'm no lawyer, but is typing in an URL illegal ? I'm probably wrong, but cracking passwords and the like *is* illegal, this is just typing an URL... maybe I'm far too optimistic.

I don't know - I'm not of the legal bent either. But telnetting to a host and trying to break in is illegal, right? And 'telnet www.hotmail.com 80' will give you essentially the same thing... so a suitably inspired lawyer might be able to make a case that way. Pushing things to extremes, I thought of a ridiculous defence along the lines of "I was just varying the electrical potential in this copper, yer honor, how was I supposed to know I was launching those nukes..."

I'd don't particularily trust the courts or the legal system, so I usually err on the side of paranoid, but that's just me.

UPDATE...

[Jonny+Royale]

Hi. I tried this with some ID's from friends. I got through on one, but after that I got accesss forbidden (403). Has anyone tried twice? Or more than one acct. from the same IP, or did they fix it?

It's back...

[Jonny+Royale]

Don't know how, but it looks like their re-directing the re-direct to a new address.

YES!

[ffatTony]

It worked w/o a password on my own account. I was too fearful to try any others.

It's down!

[DerMarlboro]

The site just went down. And by that I mean www.hotmail.com. Lucy, you got a lot of 'splaining to do!

Closed 11:50 EST?

[ZahrGnosis]

Well, the pages I've been using have just now started to be refused by HotMail. Looks like they had to take down the whole hotmail site to fix the problem; I wonder how long that will last! I can't connect to www.hotmail.com, or via the "crack", it seems.

Or are they just refusing traffic from my site? :-)

---ZahrGnosis

Hotmail disconected?

[jmoo]

I did a trace route and found that the route to hotmail seems to be down.
bordercore1.Sacramento.cw.net [166.48.188.1]

Can anybody confirm?

Gone...

[jqs]

The Site is gone already... Pointing you towards MicroSlut's Wall of Shame Page, I mean their security holes page... [grin]

Hotmail.com on UNIX right?

[CmdData]

If I'm right isn't hotmail.com running on UNIX? that figures. UNIX has more holes than an old womans underware.

Re:Umm... has anyone tried sending?

[emf]

hmm, how about all those "send password via email" websites.. Wonder how many let you see their members id & email address.. (ICQ??)

Microsoft Passport "Security"

[dynweb]

Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here to see the MS FUD on "Passport Security".

Not the first time

[Alejo]

A while ago there was an even uglier hack.
sort of auto-linking abusing the url.

Re:The real loser isn't MS, its users who needed a

[Stonehand]

I believe the Finnish server you were referring to was an anonymous remailer service at anon.penet.fi; one that, if memory serves, anonymized both ways (one could anonymously send mail to a user of the service, as well).

Word is, that the service was shut down after the judicial system was used to disclose account information, after the Church of Scientology went after a disgruntled ex-member who was using anon.penet.fi. However, that might only have been possible since it was a remailer service, and thus had to know about the actual e-mail address if memory serves. Thus, the real (non-anonymous) account could be revealed.

Web-based system might change that, if the admins -- and users -- actually care about security and anonymity. Hotmail clearly does not, as it puts IP addresses in mail sent via itself -- addresses that could point to a whistleblower's work machine, for instance, and it also requires a bit of information for registration.

A major design point.

[Inoshiro]

Here's a little problem I've noticed (including relating to the recent ProFTPD root exploit).

People think they can get away with strcpy, or sprintf, or similar. This is wrong. You should ALWAYS verify the amount of data copied, wether it be to a fixed sized buffer, or a malloced region.

strncpy, and snprintf are very, very good ways to secure your code from the start.

But this is often disregarded! Agh! Pascal and Basic make people soft about how they handle strings, because they encode length in them and use their buffers in a way that seems logical at first, but is very holey when it comes to actually implementing things.

Strings in C != hard, if you can accept the ideas of pointers, string library functions (I like the abstraction), and general good coding techniques :-)

Re:A major design point.

[Inoshiro]

A string is not an int.

If you have an int overflow, it just resets the int to the lower/higher bytes, depending on endiannes.

A string is different. A string is a HUMAN data object, not a computer one. Having a fixed-length is practically required because, you guessed it, computers can't encode this data in a really good way (Pascal's int then string array idea is fine, until the string array is > an int).

The C language was designed to be extensible, and lightweight; Linux is like this, too. Why should we have dynamic strings in the language? If you want dynamic strings, write a C++ class or a C function library to deal with such. It can be done.

But things like FTP commands, and directorys are naturally of a fixed string length. Why use a dynamic string to work with it?

On top of that, how can you get data, then malloc the data? You'd have to redesign the function to read into a buffer of some kind (an infinite buffer? Oooh, maybe a fixed-length one), and then copy to a buffer of appropriate length. You'd also have to grow (realloc) the buffer as needed. This is a lot of work that is not needed 99% of the time when dealing with strings. I don't need 1%er language functionality, that just adds bloat and slows code.

Besides, why should I have dynamic string when the content is static? Waste of CPU time, et all.

I hate people who come from basic/pascal, and then complain because they think of strings in rather a different light then normal C prorgammers do. Please, if you use a language, think in that language when working with it.

Go ahead a bash MS

[learned]

Yes hotmail runs BSD/Apache, but MS bought it. It's most likly the code and MS IT managers should have seen the security problems and addressed them.

But this is also a problem with IT managment everywhere. Sys admins typically tell IT managers everything that needs to be done (backup, security, etc.), but IT managers are reacting to poor business practices of the marketing/sales people, and ignor problems util they happen.

Check these addresses, all.

[al3x]

I strongly urge you (for a laugh) to take a look at billgates@hotmail.com, bob@hotmail.com, and xxx@hotmail.com.

Gates sure likes his pr0n...

link?

[sevenseven]

anyone got a link? plus i guess it was just a software fault, nothing else... right? sloppy programming (m$ style) and people that had time to track it and exploit it...

nevermind

[sevenseven]

nevermind... it is too dangerous

let's wait for ms to plug the hole

Re:Has anyone tried the crack and got it to work?

[sevenseven]

a lot of people used it and it works fine... like getting to admin@hotmail.com.. and any other existing account

action

[sevenseven]

so what am i supposed to do if i have an account with hotmail and i have sensitive information there? any suggestions? i guess all i can do at this point is delete everything remotely important and pray that no one that would be interested will logging to look at my account.

[btw - i do not have an account with hotmail, but a lot of my friends do]

Re:just ./'ed

[sevenseven]

it is working.. just heavily ./'ed

legality?

[sevenseven]

just wondering what microsoft can do with the domain owner that posted it?

msn instant messenger?

[jesser]

i think the problem was more closely related to msn instant messenger than to msn passport (both were introduced to hotmail members recently). msn im tells you when you have mail, and lets you go to your inbox or specific messages by opening a temporary .html file on your computer that redirects you to a specific hotmial url. the first version actually put your password in that temporary .html file, but that was fixed. today, i wasn't able to use that feature of msn im. i got the same error as when i tried to access my account through the 'crack' page.

perhaps the problem was that they implimented the fix for the temporary .html file containing your password too hastily?

Hotmail is DOWN!!!!!

[Neo1]

Hotmail is DOWN!!!!!

Uhh, no.

[Tridus]

Well, this one works.

http://area51.slashnet.org/~drw/hotmail.phtml

Or at least it used to, they may have fixed it by now. I went in and looked at three people's accounts with my own two eyes (including mine), so I know it works. Unless they download every single hotmail account to fake, this is/was a real exploit.

Apparently it was a screwup on the part of whoever programmed that part of the CGI running Hotmail. I'd love to know who made that mistake. :)

Umm... has anyone tried sending?

[Tridus]

Has anyone tried sending email? I just logged into a friends account using this exploit, and sent myself an email using his acccount. It showed up here at my ISP's server.

This is really really really bad. What can't you do with this?

Re:Still working... NO IT'S NOT!

[jbuilder]

The index.cgi program that drives the crack just got pulled. I think all of us here beating on it got the attention of the sys admin at 2038.com.. ;-)

Take care.

Re: Browser compatibility

[Pfhreakaz0id]

Jeez, I don't get people slamming M$ for browser compatibility. I'm sorry, but if I'm M$ I could give a rat's ass if my pages work in Netscape, except the one that let's them download IE.... And if I'm netscape, I don't care what my pages look like except the one that let's em download Netscape..... sorry foks, that's business...

I LIKE hotmail.... the new OE 5 lets you access that common web-based mailbox from right within your email client. I think it's pretty slick.

it's down now...

[brad+thermonuclear]

after you put in someone's name, it can't locate the cgi... it's been taken down definitely now. not just /.ed

Has anyone tried the crack and got it to work?

[dante773]

Before we start going ape on Microsoft (I'll be the last one to defend them, though), has anyone actually used the crack and got it to work?

IT DOES WORK!

[dante773]

I just tried it with a few peoples hotmail accounts I know and IT DOES SEEM TO WORK.

Make sure nothing important is on hotmail.

Wow.. this is scary.

Wow, this is pathetic (was Re:TRY THIS URL !!!)

[dbezona]

The URL works, how ridiculous.

This is obviously not an OS issue, as many have so eagerly assumed, this is egregiously bad application design.

If Microsoft was smart, they would shut Hotmail down until they can fix this stupidness. This hole is big as a barn door, and now that the cat is out of the bag, I can only imagine the grief that some unsuspecting Hotmail users may be in for.

*sigh*

Redirect?

[KyleRoadman]

Is it just me, or has a redirect been setup at the 2038 site? It's pointing to Microsoft Security Advisor. hmmmm.

Hotmail was great...then came MS

[digigasm]

Ok, this company needs to be squashed and squashed hard. I started using hotmail before it was MSN Hotmail. I chose hotmail because it was free, low on advertising, and I could access it with a text browser (this was before I had my own pc and used a library terminal). Then Dr. Evil came into the picture and f*cked everything up. One of the first "enhancements" they did was take away my Lynx access. That pissed me off royally. Now, every (ahem) 3l33t haxor dood with too much time can use my Mastercard #. Screw Microsoft. Hotmail was fine until these losers showed up. To Mr. Gates... If it ain't broke, DON'T FIX IT!!!!

Hotmail gonna be hacked again!

[Ba1der]

I read in a swedish newspaper (www.aftonbladet.se) that HU will hack Hotamail again today.
Aftonbladet writes that microsoft only has secrured one of the 6 servers witch don't check the passwords, and that they gonna "crack" another one today. I'm looking forward to this......

(If only ppl could learn the difference of HA/CRA -ckers)
To be continued i recon.......

Re:Secure Web mail PATENT PENDING

[hushhush]

If you'd taken the trouble to check out our website, you'd know that our code is developed in Anguilla, BWI and our bandwidth is served out of Canada, so we are not subject to U.S. laws regarding encryption. Otherwise, logic should have told you we would have been shut down months ago.