Slashdot Mirror
Hotmail Cracked Badly
Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA
number in it, I'd think twice about it ;)
hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD
Your e-mail is private and secure (yeah right! hehehe)
/ hminfo_shell.asp?_lang=&beta=&content=wh ysign&us=ws
/. k.d. /. earthtrickle - Monkeys vs. Robots Films
When you sign up for Hotmail, you choose your personal ID and password. The only way you can access your account is by using the password you select. This means that only you will have access to your Hotmail account, even if you use a computer at a public terminal or a friend's house. (unless you use our convenient form based access if you "forget" your password... hehe)
Because the messages in your Hotmail account are stored securely at a central location, you don't have to worry about losing important information if something happens to your computer. (until someone breaks in... heheh)
Hotmail is strongly committed to keeping your personal information confidential. For more information on our Privacy Policy, click here. (the info goes straight to billg's desk. he reads it all! he knows who you are... heheh)
Sign Up Now!
excerpt from: http://lc3.law5.hotmail.passport.com/cgi-bin/dasp
It is actually incredibly difficult to send spam from hotmail. It is not a task that is easily automated because you have to go through their web interface for each and every message. Sure you could probably script it with perl, but that is far beyond the skills of 99.999% of the spammers out there.
Instead, when people say that the only thing they get from Hotmail is spam, they probably mean somebody forging mail with headers to look like it is from hotmail. Which is kind of what you said, but unless you read procmail filters it wasn't so obvious.
In your case, the procmail rule won't stop someone who is forging the X-Originating-IP line either, but it is probably good enough for most spammers.
"Security through obscurity" implies that obscurity is the security mechanism. That's different from non-peer-review.
If the mechanism for a passwording scheme is a switch statement with all the passwords inline (obfuscated somehow, obviously, so one can't just run 'strings' on the binary to extract the words) then it is "security through obscurity" to keep the source hidden.
Not submitting your soucre code for peer review isn't the same thing by any stretch of the imagination. It's just one precaution among many that can be taken to preserve a system's security.
Of course, devotees of the warped notion of "peer review" being bandied about in the Open Source(tm) community won't agree, but Peer review used to refer to a review by one's peers, in the sense of a credentialed body of experts. Not "throw it out onto the street and see what happens to it."
Well this seems to be down. Try http://lagparty.org/hotmail/ instead.
http://207.82.250.99/cgi-bin/start?curmbox=ACTIVE& js=no&login=&passwd=eh
University of Karlsruhe represent!
Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:
I VE&js=no&login=ENTERLOGINHERE&passw d=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
replace ENTERLOGINHERE with the account you are cracking.
This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.
1) We're not told in this story where *exactly* the security hole is (in which part of the system)
2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"
So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.
Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.
Why should I prove somthing I never said? I said that MS marketing people have often mentioned they'd like to increase NT's presence at Hotmail, not that there are plans for wholesale conversion.
In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).
----
----
Open mind, insert foot.
$ nslookup
> 207.82.250.251
Name: wya-pop.hotmail.com
Address: 207.82.250.251
> set querytype=any
> wya-pop.hotmail.com
wya-pop.hotmail.com preference = 20, mail exchanger = mail.hotmail.com
wya-pop.hotmail.com internet address = 207.82.250.251
hotmail.com nameserver = ns1.hotmail.com
hotmail.com nameserver = ns3.hotmail.com
hotmail.com nameserver = ns1.jsnet.com
mail.hotmail.com internet address = 216.33.151.135
ns1.hotmail.com internet address = 207.82.250.83
ns3.hotmail.com internet address = 209.185.130.68
ns1.jsnet.com internet address = 209.1.113.3
----
----
Open mind, insert foot.
Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.
Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.
----
----
Open mind, insert foot.
you can login as a user and get a list of their mail, but you can no longer view it. ...shucks.
----------------- ------------ ---- --- - - - -
----------------- ------------ ---- --- - - - -
Your honor is perfectly understandishable.
Alex Bischoff
---
Alex Bischoff
HTML/CSS coder for hire
Sure it's possible. LynxSSL.
Sorry, Billy. Really.
Actually I like POP too, is there an implementation of it out there that uses encrypted passwords?
What are the implications of this regarding the
Microsoft Passport programme? From hotmail.com:
Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!
That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.
Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!
Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?
Dog bitecha!
Wansu, th' chinese sailor
Others have mused about the possibility of the Hotmail lawyers coming after people who exercised this security feature. Well, CNN says they did this so I guess they are in the soup too.
Now a buddy of mine says, "Watch M$ turn this around and say they've fixed the problem by switching to NT!"
Arrrrrgggghhh
Wansu, th' chinese sailor
I'll throw this one out.
What are the chances that MS "allowed" this hole to exsist so they could spread FUD about *NIX.
"This just shows the world that a free OS built by a bunch of hackers in thier bedrooms can't compete with an Industry Supported OS like Windows 2000."
How long till something like that comes out of Redmond?
Bullshit. Microsoft screwed Hotmail up badly. Compare Hotmail as it was *BEFORE* Microsoft got it's hands on it as opposed to the way it is now. The old Hotmail didn't care what browser you used to acess it. Now thanks to MS, you can't use older browsers or Lynx with it (well you can use lynx but you have to modify it)
--
FUCK that!
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
And, even if the admins of Hotmail don't read Slashdot or other tech news sites, the massive surge in activity, PLUS the massive surge in accesses of mailboxes should have rung alarm bells from Hotmail to Antarctica and back.
If THAT weren't enough, the admins must be aware of a huge increase in the number of people accessing via a single machine, and via a single method.
If that STILL weren't enough, they must have been notified by now that something's going on.
Finally, if complaints, surging activity from a single computer, news everywhere of the hole, and a massive increase in the use of Passport, were not enough to pull the plug, I'm sure journalists read Slashdot and some may have phoned Hotmail for a comment. System cracking is still news, even these days.
Yet, despite all of this, Hotmail still has that security hole wide open. *SIGH* That is astonishing.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There's a bunch of sites that have the same effect. Like http://www.erikaweb.com/misc/hotmail.htm, for example. Just go to AltaVista and search for "hotmail login -host:*.hotmail.com".
It seems like Hotmail doesn't check for the password when you first open the mailbox when the referring page is not in Hotmail's domain. Big hairy bug indeed.
In Soviet Russia, Jesus asks: "What Would You Do?"
Think again. You are making the famous appeal to Security Through Obscurity. If Passport were open-sourced, people would find the bugs and fix them, instead of sitting on them and hoping no one would notice the way Microsoft does with all its products.
Beer recipe: free! #Source
Cold pints: $2 #Product
looks like they disabled that cgi.
There are a lot of people who were doing illegal things through Hotmail who are potentially under surveilance through this insecurity. I don't really care about them. (I'm not talking about the person who occasionaly forgets that Microsoft Word or Quake 2 or whatever is a commercial product, but more the people who put up a tonne of stuff and use it to generate money whether through banner ads or subscriptions) I am concerned for the people who wanted anonimity for legitimate reasons. Maybe they were anonymously subscribed to sexual abuse survivor mailing lists or online support groups for the differently gendered.
A lot of people are going to state that these people were stupid for relying on a Microsoft service, but where are they supposed to go? It isn't stupidity so much as a lack of education. This is compounded by the people who are technically capable of doing the educating. Too many of them are too busy looking down at the unwashed masses to communicate the options and hazards involved with the various options.
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile) which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
There are probably others (I don't use anonymous email myself, I do use services that allow me a perpetual email address for non-critical stuff, like providing head hunters a consistant address)
but the only thing you really hear about are Hotmail or Lycos etc.
It's not a matter of who owns it; rather, the underlying pattern of lax security that has become a hallmark of Microsoft implementations. This is not the first example; take, for example, Windows' e-mail attachment handling (which allowed the Melissa virus to flourish, over a decade after the Internet Worm should have taught everyone a lesson), ActiveX (which can either be disabled or insecure), and the numerous NT security flaws.
Microsoft have a culture which assumes that networks are controlled and orderly, much like corporate LANs, rather than the chaos of the Internet. This comes up in their assumptions, and their lack of attemption to security. The Microsoft Passport hole is merely the latest example.
I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.
It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.
Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?
Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.
One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?
We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
So to be useful, you just have to get all of your corresponents to also use HushMail. Right. Forget about all the existing PGP users. And how can you get a patent for something that is already widely available? Why all you have to do is tack 'Roaming User' onto the end of the description and Poof! The software patent fairy grants your wish. Watch out world, I got a patent so I can sue your ass off if I feel like it!
"The only good windmill is a tilted windmill."
I can't get it to work (trying at 1:12 CST) I get a Fobidden, Don't have permissions to access /cgi-bin/ error...
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)
I hope you're not inferring that it's a good idea to pass data through a POP3 server. Not sure if you've encountered this one yet, but POP3 (and most of its kindred) send passwords and mail in the clear, the same way hotmail does. Indeed hotmail would be slightly more secure, since the passwords are likely sent in a POST form, which is mime64-encoded and thus very slightly protected against casual over-shoulder interception. Further, POP is a much more common target for interception since its use is so widespread and the format is quite standardized.
"Secure mail," inasmuch as that can be taken as anything but a contradiction in terms, involves stuff like a secure transmission client, encrypted channels all the way from sender to recipient, storage in encrypted form or on a cryptographic filesystem on a trusted, isolated server, and a secure reception client. At present hardly any such systems exist. The ones that do -- well, they don't run POP3.
I wrote: Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.
Hee hee... s/ASP/cgi/
So this just means it's lousy coding. No surprise there. cgi-bin's been a scary thing to have on your system for a long time.
Do you have a
Anonymous Coward writes
/. these days).
How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)
I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts
Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.
Btw, someone want to moderate up that (intelligent) AC comment?
Do you have a
Sujal
politics, food, music, life: FatMixx
Sujal
politics, food, music, life: FatMixx
Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.
Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?
Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
Consider this ironically timed story on the front page of www.zdnet.com:
Microso ft Makes Reading Easier.
Yes. It seems they do.
I think there is a world market for maybe five personal web logs.
Yeah they just had to increase their hw by ~8000% first(maby?).
LINUX stands for: Linux Inux Nux Ux X
FRA: STFU GTFO
Looks like it is gone now- could anyone describe it?
-luge
IAAL,BIANLY
I take that back. Holy crap indeed. Thank goodness for free school email (not that it wasn't cracked in January, but whatever...)
-luge
IAAL,BIANLY
Just pulled ALL my stuff off hotmail (6 accounts) and notified all hotmailers that I know of the crack. Also fired off a nastygramme to Hotmail about their aircraft-carrier-sized hole in security.
I basically mimiced the first guy who responded to this particular post. "Holy crap!"
Chas - The one, the only.
THANK GOD!!!
Chas - The one, the only.
THANK GOD!!!
Chilli
-=- Just a random lambda hacker
Chilli
-=- Just a random lambda hacker
> At least their encryption isn't just XOR-based. :)
;-)
Well, in fact many REAL (&safe) encryption algorithms are run in the xor-with-the-plaintext mode. As long as the bitstream that you XOR with is sufficiently unpredictable, that is perfectly safe.
You're thinking about xor-with-a-fixed-string or somethink like that. That's stupid.
You're bashing on XOR for no good reason. Leave XOR out of it....
Roger.
Perhaps this is obvious, but this is not just a stolen password list. I changed my password on Hotmail, and the crack URL still happily lets me in.
I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).
Remember, Hotmail uses both Solaris and NT in various capacities.
Nothing worth doing is worth doing today.
> I block anything from Hotmail anyway, since only
> spam ever comes from Hotmail, so who cares?
The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.
Here's my procmail recipe which does just that:
:0 H:
* ^(From|X-From-Line|Return-Path):.*hotmail\.com
* !^X-Originating-IP:
junk
2 dashes and a space, or just 2 dashes?
Yeah, and have your password transmitted in clear text to your ISP. If you didn't know, this is the biggest drawback of POP3. Use IMAP instead.
It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.
--Joe--
Program Intellivision!
Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVIn other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.
--Joe--
Program Intellivision!
I think they have something set up which monitors the IP your coming from, and seeing how your using it. I tried it a few times and it worked, but then it died. Perhaps the system is sort of crippled -- and realizez your multiple attempts using this one url, and blocks you out.
Dunno
So there.
This is one reason why I avoid web mail. I prefer pop3 where the mail only sits on the server for a short time, and is then pulled down to my own system.
Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.
Of all the comments I've ever posted, this is definately one of them
"Where were you when you heard that Hotmail was cracked?"
Michael
"Where were you when you heard that Hotmail had been cracked?"
Michael
HOW much does a hotmail account cost you?
Yeah - logging in has worked fine, the five times I've tried it. The first four times I didn't read anyone's email, because I knew the people; I just picked a username at random and tried to open an email just now...
IE 4.5 isn't allowed on grounds I don't have cookies enabled. Bullshit; I'm using slashdot.
Just tried a sixth - same effect. I can see a listing but not view email. And the same result with Communicator 4.61-Mac.
Hmmmm....
The page at 2038.com just redirects to :
http://www.microsoft.com/security/default.asp
BTW it's a public holiday in the UK, so double plus good to the Register.
OTOH, 'there but for the grace of god'. How many of the sysadmins here are > 95% sure they've covered every hole & patched every exploit on every one of their systems ?
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
OK, so two minutes later (4pm BST, 10am EDT) it's blocked at last -- approx 40 mins from the first /. post. Anyone know what time news leaked before that ?
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I absolutely agree. I do seem to have made some progress in increasing awareness; and I've decided to leave anyway, for (partly ;) ) unrelated reasons ...
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.
Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
..that it was almost exactly a year ago that this exploit was discovered...
I came upon this a few weeks ago while working on a simple to use menuing option for the administrators at my website. There are about 10 of us covering different aspects and we all take responisibilities answering emails and decided to keep the hotmail account one of us had set up.
I set up the 'click here to check email' on our menu, with all the form filled out as it was on the M$ site and it worked...I then noticed that it didn't require the password, but I thought that was because it had been cached some how. I tried it again from my laptop later that night (after forgetting to fix it) and it worked...hmmm...the next day I tried it again and the login proceedure no longer would let me access it even once I had the password entered in the hidden form...it'd only take me to the front login page.
Maybe this was just a temporary whole...shit I have kept holes wide open in attempts to keep my machines running at times while I'm working on something. To my former boss, there ain't nothing worse than a downed machine...he'd even accept hackers broke the system, but it was running than downing it. Lucky my latest one, cares more about protecting valuable information than someone being inconvienced...
clif
There is some new exploit for wu-ftpd, proftpd, BeroFTPd going around.. I just got news of it from security mailing lists this morning. Basically, if you are using wu-ftp version prior to 2.5.0 you'd better upgrade!! I am not sure what versions of proftpd are vulnerable.. I just disabled the copy running on my home machine.
I would disagree. My guess is that they gave the job to write the program to some MCSE certified drone. However, of course the guy quickly found that the MCSE doesn't cover CGI, and the guy had no clue. Incompetence reigns within the MCSE "community." Perhaps next time Microsoft will hire a real CGI programmer. Of course, as they point out in their whitepapers, they'd have to pay a Unix CGI programmer more.
-BrentFirst off it's solaris/bsd not NT. Second, it's not an OS related security issue at all. It's just sloppy programming in the hotmail setup itself.
-matt
From a ZDNet Message:
MSN Messenger Service disabled?
Since Microsoft has 'fixed' the security hole earlier this morning, my MSN Messenger service will no longer all me to directly login to my Hotmail Inbox. That's the only reason I even use the shitty service...
Coincidence? I think not.
Any MSN Mess users confirm this?
When trying to view a Hotmail inbox of MSN Messenger you get this:
/cgi-bin/start on this server.
Forbidden You don't have permission to access
It's either something on Hotmail's end or something that will require an update for Messenger and how
it connects to Hotmail.
substrate wrote:
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile)
anon.penet.fi, yes. Read the story of its demise.
Key details not found there (unless you poke around some) are that the court case involved anonymous e-mail sent by a critic of the Church of Scientology, a lawsuit brought by Scientologists in Finland against Julf, and the subpoena served on Julf by reluctant Finnish police. Julf had simply hoped this day would never arrive; when it did, somewhat more quickly than he had expected, he was caught off-guard. Since he realized that he did not have the resources to protect the users of the service, he closed it.
which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
Julf did a great job with anon.penet.fi, but let's not oversell it. The anon.penet.fi did nothing more spectacular than remail your text with its headers. There were instances of the service being spoofed, accidentally revealing addresses, and being abused by someone with prior (social) knowledge of the real e-mail address associated with an anon.penet.fi address. And in the end, it all boiled down to Julf: did you trust him? He was honorable, but that wasn't guaranteed.
Nevertheless, many thousands used the service mainly because it was the easiest anonymizer to use. And yes, as many security geeks pointed out endlessly, the ease of use made it more vulnerable than other systems.
lake effect weblog
{Network engineer in Chicago--looking for work!}
The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot. [snip]
Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."
Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of
You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.
WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog. Fortunately ZDNet is reporting that "a simple HTML script" (long way to say "URL") could also thread the security needle.
lake effect weblog
{Network engineer in Chicago--looking for work!}
miyax writes:
If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service.
Uh, actually, no. That should read "to any badly-programmed web-mail service". See, they didn't invent some gosh-darn super-duper smart-agent neural-net jacked-into-the-matrix hack; they found out that Hotmail hadn't locked all the doors, that's all.
(Sadly, that's pretty much the case with ANY system cracking.)
lake effect weblog
{Network engineer in Chicago--looking for work!}
I don't think it's possible to use Lynx. See here for why.
http://www.machineofthemonth.com/misc/ma0.html
Software testers needed for
Forget the security implications for a moment. Why not start cracking the email accounts for fun? For example, there are a number of Congressmen who use Hotmail accounts. And folks in the media (think: anchors). Heck, even Monica Lewinsky used Hotmail, right? (Try: mlewinsky.) There could be a lot of fun had here before Hotmail fills the hole. (Which I'm surprised they haven't done yet.)
No, Microsoft didn't start Hotmail. However, Microsoft did start the Passport integration. In the course of doing this, they modified CGI scripts and failed to think through the security implications of what they were doing. Which is par for the course for MS. End result: because of a stupid error by MS, large numbers of people had e-mail compromised. In any competent setup, this error should be caught before going into production. In most Unix shops, it would get caught. Around MS, failure to catch things like this is endemic, which is why I don't trust their products from a security standpoint. I'm just happy I don't need Hotmail to get Web-based e-mail.
This is just way too funny.
See for yourself.
I hope nobody else thought I was accusing FreeBSD of being insecure! It just sounded like Bendawg thought Hotmail was running on top of Windows. Er, maybe not. Whatever. Bottom line is, MS can make anything insecure.
Holy crap......
Secure web-based mailer?
:)
Easy.
Put MindTerm (java-based SSH) on a web page on your server, log in, and use pine 8-)
This sounds reasonably secure to me.
Well, I saw it coming. I was never a friend of web based freemailers, anyway, especially not hotmail. However, it would be interesting to know more details on this hack. Is it just a hotmail problem? What about other freemailers such as yahoo? is there some official statement by hotmail? Inquiring minds would like to know.
Well the how seems "simple"... it's a security hole. In the URL that the little script generates, you can change the password=eh to pasword=xxx, or whatever, and it still works. You can also change the user account name to some other account name and it still works. In Fact, you can have an empty passwd= part in the url and it works....
So basically what think this is, is simply access to a machine that normally users only get directed to once they've gone through the login process. Also, normally the parameters in Hotmail's URL's are encoded or something, but I wouldn't be surprised if what we see encoded in normal Hotmail access decodes to the URL type syntax this script generates.
I just wonder what a CURMBOX is...
If this is true, it just took someone to decipher the url encoding, and voilá.... and knowing MS, it's probably ROT13 or something.
Well I tried the URL and it didn't work. But I'm not surprised I'm getting to this rather late. What makes me laugh though is that in the past months they have been screwing with Hotmail so much supposedly making it more secure.
Who ever thought up that woderful scheme of routing through a secure server should be drug out in to the street and shot. Now I can't check my hotmail with lynx.
----
"War doesn't determine who's right, just who's left"
"War doesn't determine who's right, just who's left"
Steven Wright
First of all, Hotmail is not run on NT, and does not use ASP. It is run on FreeBSD/apache (see netcraft for details). They tried to migrated it to NT when they bought it, but NT couldn't handle it, so they switched back.
Second of all...well, there is no second of all, but I wanted to make sure everyone realized this is NOT an NT problem.
Juiced? Or Not?
I just went into my g/f's account with no problem - it looks like the hole is still open!- --------------
------------------------------------------
"We are but packets in the internet of life."
"I disapprove of what you say, but I will defend to the death your right to say it."
- Evelyn Beatrice Hall
Whoah. This is now the lead story over at CNN Interactive... (HTTP://www.cnn.com)
Never ask a geek why, just nod your head and slowly back away. -Rob Malda
I said the same thing and then went and told all the people at the office to pull thier hotmail accounts.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
So how long will it take ms to go hunt down the guy who owns the domain? Wonder if his server got cracked and it was posted there?
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
yeah i remember that story. anon.penet.fi was shut down by the finish government i think. That was a sad day. Alot of the people on thier were survivors of sexual abuse and what not.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Well it looks like things are dead for now. A user who came in late to the office wanted to clean his box out but couldnt get there so I took him via the direct url and now it's saying no permission on /cgi-bin/start so it looks liketheyve closed for good.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I wonder if the information about the compromised accounts will ever be mentioned on the HotMail pages...
In the meantime, does anyone have more details about this? Specifically, I would like to know if the crackers stole a list of passwords or if they found a way to enter the site without using a password. In the former case, you would only have to change your password to be safe. In the latter case, you could hope that the HotMail staff would patch the hole quickly.
-Raphaël
"Once we were notified we began investigating," the spokesperson said. "We found it was possible
for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy."
http://www.news.com/News/Item/0,4,41 069,00.html
Hrm.. "advanced Web development languages".. URLs that map to backdoors.. uh.. OK. Hey.. I know HTML.. does that mean I'm super advanced? Maybe I can apply to Mickeysoft and get a nice job... fixing those highly advanced URL type of problems.
Sheesh.. they can't even come up with good spin. C'mon, I'm thinking alien attacks, Bill gone mad, Linux/BSD users invade Redmond and take over the place... ANYTHING but this sort of crap.
--
Neurowiz
I use two MSN sites that use Microsoft Passport, Hotmail and MSN Investor. They refuse to cooperate with Passport! Investor has a feature to store your portfolio on a centalized server so you can view it from any web browser (after authentication), but that portfolio never responds or it scrambles my portfolio data. When I then jump to Hotmail, it forgets my password (which I asked it to remember on my home computer). Damn this software is stinky..
cpeterso
Wired is reporting that the same thing happened 6 months ago, and it was fixed without getting any media attention. The cr/hacker group that reported this one was supposedly publicizing it because MS only fixes things right when it lands on the front page news, and they wanted to call attention to that problem.
Wired also reports speculation that it was a deliberate backdoor that was supposed to be secured by obscurity.
Who knows? But if I had a hotmail account I'd assume that people had been reading my mail (and doing Bog knows what else) for months.
Sheesh, evil *and* a jerk. -- Jade
Dear Valued Customer,
You may be aware from published reports that today MSN Hotmail experienced service issues that have generated questions about security.
Microsoft was notified early Monday morning (August 30, 1999) of a potential security vulnerability that could enable unauthorized access to Hotmail servers.
Typical underplaying. Plus, it's confusing - it states the problem occured "today"..well, I'm reading it on Tuesday. The typical non-techie reader of that might read that and think "huh?" and continue on, business as usual. He/she might think twice about using Hotmail if their public announcement stated,
"For some time, Hotmail accounts were open to anyone possessing knowledge of a hack that was widely distributed on the Internet. People with this knowledge, which was fairly simple, could read your email, delete it, and/or send email impersonating you. We don't know if any of this happened to you, but on Monday, after this exploit was featured on several news sites, we kept Hotmail up for hours while probably millions of people roamed through the Hotmail service, gaining unauthorized access to countless accounts. Cross your fingers. Thank you, and we hope you continue to enjoy our superior service."
Potential security vulnerability indeed.
The obvious first thing to do would be to suck a couple million blocks from the leaders on distributed.net... look for people using hotmail addresses, send them their password, read it, then assign their keys to another address. Now, this could certainly help Slashdot catch up with Guy Kawasaki and his playmates, but it might be a better way to get one's own participation in jeapordy.
-Chris
And I suppose you've never locked your keys in your car before?
--
Do I look like I speak for my employer?
If you have ever locked your keys in your car, or left the headlights on while you went shopping, or nuked something in the microwave and then forgot about it, this could happen to you. I don't mean to downplay the severity of this, it's a serious bug with significantly negative consequences, but the only prerequisite to making this sort of bug is to suffer from a temporary case of sheer absent-mindedness.
Perhaps a better analogy, come to think of it, is the flawed mirror of the Hubble telescope. As I remember, that was also caused by a very simple but (as it turned out) very costly blunder.
--
Do I look like I speak for my employer?
There may have been a lot of survivors who used it, but I was also once sent flame-mail via the service. Of course I suggested that someone who dared insult me should do it to my face, which amazingly stopped that dead in its tracks.
They'll probably release a Hotmail Service Pack sometimes early next year ;)
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
It's still working... I can't believe something like this is possible - and it's not even /.'ed :)
Why don't MS just block requests from the referring host in question? How hard can it be?
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
Is this really true? Can somebody provide a news link for any stories? I don't think posting a link to the h4x0r www entry page is a good idea, though.
This is a backdoor, not a crack of the password files. Changing your password does not protect you here.
Could be just my connection, but I could not hit any of the hotmail servers.
About time they got around to fixing it.
Yeah, it is Moxy Früvous.
I informed my users of the backdoor this morning, and told them to delete all private mail from their hotmail accounts.
One of the users just told me that when trying to log in from the www.hotmail.com page, they're getting "connection refused". I just checked, and it's still possible to get in via the backdoor.
It would appear that now, not only is the backdoor still open, but it's going to be impossible for legitimate users to clean out their mailboxes.
MS should just shut the site down until they can get this sorted.
.@.
kinda brings a tear to your eye doesnt it.
Well, two messages saying the cgi is down, but the exploit is still working on this end. Caching?
What's needed is a good, free, SECURE web-based freemail. There have been a number of such attempts, such as HushMail, etc. - but all are pretty lacking. A good overview of "secure" web-based mailers can be found at Counterpa ne.
It's time for people to start rejecting inherently insecure solutions.
I've gone to the site and viewed two different hotmail accounts (mine and my brother's). My brother has _never_ used this machine to read his Hotmail (it's at work and he's never even been in the building!), so it's not based on cookies etc.
Changing your password doesn't protect you either.
I've tried it.
:o(
could someone write a perl script to break in there and start deleting accounts? i bet that the script could get rid of 2 or 3 million accounts before anyone caught on...
KMFDM Sucks
Hmm..
hotmail's cgi-scripts seem to be taken down.. hope they manage to fix the bug soon.
Greetings,
Ivo
The crack stopped working a few minutes ago. Unless hotmail is /.'ed
Then they immediately issued a press release saying that the security hole in hotmail had been fixed....
Actully, maybe they had the lines hardwired, so they had to use wirecutters.......
They're just gonna kick there butt right out of the plane and then toss them a parachute.
Somebody has to catch fire for this. My guess some middle-management blokes. There are no decent coders around to fire or else this probably wouldn't have hapenned.
The idea is pretty obvious if you ask me. I thought about doing it years ago, but IT'S ILLEGAL in the USA. They are located in Austin Texas, so my guess is that it won't be long before uncle sam shuts them down.
-- Virtual Windows Project
I did check out your web site, and I did not see any indication of this. Your domain record list an Austin Texas address and your FAQ makes no mention of legalities. I would think this is a fact you would want to make well know. I even wrote one of the email addresses on your web site about this particular question and recieved no reply.
Even with the precautions you have taken, I see you running into trouble with the law if you become popular. Make sure you put some money aside for the lawyers.
-- Virtual Windows Project
Unless I'm mistaken (a very distinct possibility) it is running off of Slowlaris boxen.
I would suspect that the hack was not in the OS itself, but rather the hotmail software itself.
Give a man a match, you keep him warm for an evening.
Light him on fire, he's warm for the rest of his life
Someone please go to cnn.com and explain to those who put up the message board HOW DO YOU DEFINE A HACKER? what a hacker is. I don't have the strength anymore... Sigh! Hacker != cracker, how difficult can this possibly be?
no kidding...
lets face it - security holes pop up on all platforms, *nix, windows, whatever. the key is how a company responds to the holes and m$ doesn't seem to have learned that lesson. they figure they can keep everyone in the dark for as long as possible.
the same thing happened with the big iis hack a couple of months ago
---- There is a fine line between sayings that make sense.
Got cookie problems? I think if you have to many hotmail account cookies, it doesn't let you read any other accounts. To remedy this problem, just delete the few .msn.com and hotmail lines in the cookie file.
Iam
I would if I could, but I can't so I won't.
"Software is a tool, and as a toolbuilder I must struggle with the uses to which the tools I make are put." - Bil
It took Hotmail a good long time to respond to this crack, which has been up since Sunday morning proximo. During that time, much email has been illicitly read, some illicitly sent, a few DejaNews identities probably pirated.
If the users of Hotmail wanted to try their hand at a class-action suit, they might be able to pull it off. Yes, Hotmail is free, but they generate income based upon the number of users; therefore, their userbase is responsible for their income. They can't ask for their money back, but they can probably collect damages.
Something for an enterprising attorney to investigate!
--
Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
Or maybe it's a convenient way for certain people to read your email as a matter of course?????
Obviously what he meant was that he gets nothing but spam from *@hotmail.com (hotmail users).
Mark
If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service. While I think this is funny, that's only because I don't use Hotmail! But I do use web-based e-mail (not telling which one so you don't get any ideas : ) and this scares the shit out of me...
miyax
I heard somewhere that the Microsoft passport system is what caused the security leak. Here's some PR at the passport site
"Gone are the days when you had to remember a member name and password for every site you visited. With your free Microsoft® Passport, you select just one member name and password to use on a fast-growing number of major sites!"
Currently their working with a slight variation of the above plan but it's still ingenious, by getting rid of passwords all together it is darn easy for you to log on.
It's turtles all the way down.
Looks like MS HotMail closed the front door but left the back door open. If this is the case, its a greater disservice to users that the lame security was in the first place. Now legitimate users will have to use the hack to protect themselves.
better names than you picked: better_sprintf(), better_sscanf() and better_gets()
0x or or snor perron?!
According to c|net's story, the original exploit web page claims to have been was written in June 1998!!!
There's also a great spin quote from Microsoft:
"Once we were notified we began investigating," the spokesperson said. "We found it was possible for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy.
I just went to the mirror page listed above and put in an account I use when posting on Usenet and got the usual whole page of spam messages. Then I went back in through the portal nad got the same spam messages.
Pretty clever fake, that is.
Now let us watch the spinmeisters at the MSFT marketing department blame it on Apache/Unix. I can already hear them now, "Well, hotmail was implemented on Unix, using Apache, and if it would have been on an NT box with IIS, this would have NEVER happened! It's the fault of those open source programmers who don't know how to write secure code!"
'10061 connection refused'
"Oh fsck! What do we do ???"
"Pull the plug!!!"
"You want me to--"
"NOW!!!"
YANK!
---
Wow! It just blew right to the front page!!!
---
Hotmail doesn't disconnect their service like eh.... right now seems a good time! I mean... this seems like the sensible thing to do now...
Compare Hotmail as it was *BEFORE* Microsoft got it's
hands on it as opposed to the way it is now.
I wonder if this exploit depends on something MS have
added on.
Now thanks to MS, you can't use older browsers or Lynx
with it
They changed it to requiring SSL wonder why...
I have move my primary accound a year ago, but I still have 10~ mailing list accound on it. (it was the fastest at the time.) At least you got to change the password to something else no-resamble your other password.
CY
You can't "FUD" your own product. Boy is this word over abused or what. Even Microsofie AC astroturfer and Dvorak start fashioning the word. :)
CY
At first there were only the webpages with the script to let you in. Then people mentioned that all you have to do is type in the URL with a bogus password field (note the: "bounced directly into a user's mailbox"). It's all the same hole. And it's fixed now.
:)
It shows that CNN is reading Slashdot, though
(and not understanding all of it).
--bdj
...without actually looking at a real person's mail, just use one of those addresses you get spam from. pplegal for example - it's full of bounced spam, of course.
If I had a Hotmail account (which I don't)
And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)
And I was able to prove financial loss through this breach (which will almost certainly be the case for someone)
Who do I sue?
There is a place in this world for lawyers. But then there's a place for fungus too.
from the ABCnews.com article
A Microsoft spokesperson today confirmed the hole and said the company has fixed it. "Once we were notified we began investigating," the spokesperson said. "We found it was possible for a malicious hacker to gain access to the Hotmail servers through specific knowledge of advanced Web development languages. We turned off the servers in the interest of security and user privacy.
just to be sure, I checked an account (mine, which I rarely use because I never really trusted M$ to be able to do this sort of thing competently) and lo and behold, "Error 403: Forbidden" (they turned off the permissions for /cgi-bin/start. I'm no expert, but I'm guessing this is only a quick fix.)
but I just love the quote. since when does changing the cgi queries in a URL involve "specific knowledge of advanced Web development technologies"? good ole' Microsoft. at least this time, they actually admitted the problem even existed within a reasonable amount of time.
whatever, just had to get that off my mind. :)
--- this comment is presented in WIDE SCREEN STEREO!!!
This was the headline of a tabloid here in Sweden this morning. Though at the time I assumed it was just more Internet FUD. Could it be that we are finally seeing public awareness to network security??? Hopefully we can smudge Microsoft over this story in in the popular press.
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
-
I wish to God that CmdrTaco did not post this. /. and in turn everyone knows
I have been having fun reading my friends mail
and what not (hehe.. not really) for a while.
Then it is on
about it. So of course they close it up.
Too bad we could not have kept this one silent.
(this comment will probably seem redundant, but) it looks like Microsoft has finally taken care of the problem, albeit temporarily. Hotmail's main address is down and the server was obviously instructed not to let anyone in.
it really was fun while it lasted. i tried names at random (bob, billgates, jane). i thought about checking my friends account, but that just seemed downright wrong.
Sorry, as an MSN employee, I must clear this up.
Hotmail started out with FreeBSD as the front door and Solaris as the backend. There are about 2000-3000 machines all running FreeBSD at Hotmail.
MS tried to use MS-Proxy in front of the FreeBSD boxes, and ended up dying pretty badly. Hotmail is pushing the envelope on the capabilities of the hardwares and OS'es it runs, so I don't think you'll see NT there in the next 2-3 years.
What was cracked was the Passport authentication scheme.
I don't think Exchange can handle 50M users, much less all of them trying to login at the same time like Hotmail can. In fact my Exchange server can barely handle just having 100 users, and its a Quad Xeon-450... Its always going down, and its mail database system always gets screwed up when the damn thing crashes. Having mail in an internal database is pretty lame, I could understand if they used SQL-Server for the DB, but they don't.
I'm no lawyer, but is typing in an URL illegal ? I'm probably wrong, but cracking passwords and the like *is* illegal, this is just typing an URL... maybe I'm far too optimistic.
Well, the following URL *nearly* works... just complains a bit about cookies...
b ox=ACTIVE&js=no&login=USERNAME&passwd=aaa
So, we now know MS's security policy... if in doubt, change the filename...
http://wya-pop.hotmail.com/cgi-bin/HoTMaiL?curm
The thing I don't quite get is is it too difficult to check the HTTP_REFERER setting to see if the request came from HotMail ? Surely that would be a good hotfix to buy more time, and a pretty quick one at that.
that's why I said it as a hotfix to buy time... not as a permanent method. By the time it had been figured out by those capable you could have a new system roughly in place...
here's the sad part:I VE&js=no&login=USERNAME&passwd=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
what do you do? replace USERNAME with the username of the hotmail user wanted.... now THAT is some killer security... that is such a giant hole it is not even funny.
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=USERNAME&passwd=eh
replace username with the name of the account you would like to see. For some reason some accounts do not work as well as others, they will complain about cookies or an intrusion... 90% work great though.
Sad sad sad
From my very lame understanding - it's a collaboration of OS's. Including NT with ASP. But, really, does anyone REALLY know all that it uses? Does MS even know what it's using? Hmm...
I could be wrong, so don't take it to heart - this is just what I learned. So go ahead and flame me if you heard different...
Correction... Hotmail is running Solaris on Intel architecture machines (I won't say boxes cause they aren't... all hail the Hotmail server farm) now this may have already been said but i'm to lazy to read through all the postings... P.S. i know the above first hand (ie. i seen it)
Welcome aboard. Need any help? :)
"Classic UFO's
Works fine for me. :) This is great...but evil at the same time.
--
My girlfreind gets upset when I check out other chicks.
Don't lead me into temptation... I can find it myself.
Where does your sig come from ? Have been looking for the words to that ?drinking? song since I first heard it a while ago... What band? title? other words?
:-)
To add insult to injury, looks like a Microsnot lover got at the site!
However, the analysis provided by many people on here is correct. Using the URL:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login=UserID&passwd=eh
still works, and I'm curious to see how long it will take M$ to patch the hole up. Given M$'s security history, they seem to think a security hole is patched if no one knows about it.
Anyone wants to start a pool to determine how long it will be before it's fixed?
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
At any rate, I'm not sure it's illegal to type in a URL? Like someone pointed out, what if you're just testing the integrity of your own mailbox? I only checked friends' accounts, after getting their permission.
Sides, I'd like to see Microsoft sue the whole of the Slashdot readership!
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Well, shesh, my apologies to the XOR fans out there... :-)
I was indeed thinking of those companies that call XOR'ing the plaintext with a fixed string "secure encryption".
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
For instance:
Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of /.ers. Besides, they don't mention the URL; how the hell could the CNN readers find it? It was posted here on /., though.
Funny, seems we helped Microsoft this morning by forcing them to realise they were in trouble, and now CNN is taking the responsibility!
I think Rob and Hemos should sue!!!
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Oh. Yeah, that makes sense. I still think whoever stumbled upon this at CNN was reading it right off Slashdot.
WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog.
I know, and I agree; it's irritating. The crux of the matter is, the bug was there in plain sight, but it didn't come to attention before. It's easy to go through a normal Webmail usage routine, and try to see if any URL can be validated without password.
The backdoor, as it is, wouldn't be such a big deal if it were an advance programming technique. It's the simplicity of it that's a little boggling, and it may be easier to criticise than to actually do it, but this sort of things would be foremost on my mind when developping a Web-based mail service. It's basic stuff: you want no URL to be valid when it deals with private information if there is no password validation taking place.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)
On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail for Email with a real security. At least their encryption isn't just XOR-based. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Oh yes, simply because Microsoft owns Hotmail, that is the only reason for the security hole. I'm sure there's NEVER been a Linux server with security problems (yeah, right)
I think there is a bigger issue we must consider here - namely, is there a system hackers can't crack if they turn against it - the only reason Linux sites have not been attacked so far is because alot of the hackers are on the side of the "good" forces - namely unix in general and want to see dark side to die.
But we may start seeing alot of unix based sites being cracked when these people turn their attention to them.
This whole mess has nothing to do with Microsoft - its hotmail running on BSD unix !!! Just another company with 40 million users .....
I wonder how much money Microsoft has spent in the last couple of months on damage control? Covering up the Linux PPC/windoze 2000 fiasco, keeping Redhat's stunning debut from being a top story, and now this Hotmail thing... If we hear anything about it at all, I can see the news clip now,"Hotmail.com was ruthlessly hacked today by renegade Linux users (believed to be associated with the renegade web site slashdot.org). Only lighting quick responses my Microsoft (and particularly Bill Gates himself) prevented a major security brech for millions of users."
please, this is starting to annoy me.
-theres only one everything
01101100 01101001 01101110 01110101 01111000 01110010 01110101 01101100 01100101 01110011
This is serious.. I have no idea why they haven't pull the fucking plug on the box. I'd glad that I never had any cc's on there.
This thing actually works..
...
Bitchslapped? Give Rob a bitchslap from bitchslapped.com.
> I just wonder what a CURMBOX is...
curmbox=ACTIVE: looks like some kind of status flag. Maybe it stands for "Current Mailbox".
There is a spellbook here; eat it? [ynq]
This passport problem could run a lot deeper than just email. MS's new version of moneycentral.msn.com requires that you have a passport account. This service allows you to track your stocks via a nice GUI. It also has the ability to store this information on MS's servers so that you can access the information from any computer. I don't do it that way.. but I am sure that many people do. Oh and anybody remember MS wallet? I beleive that the next version is supposed to use this wonderful device called MS Passport.
Neither could Solaris.. that is why the hotmail server architecture is distributed.
There's a large chance that this is true.. MS would love for it to run on a system they created (and understand).. and it would be great advertising.
POP3 is a little safer simply because normally the user downloads mail and it's deleted from the server. Attacking the server can only compromise mails still undownloaded.
Webmail, you can often see the entire history of mails received by the all the accounts on the web server. That makes an exploit more damaging.
Neither is a secure channel, for sure.
Jim
So I decide to check my dear colleague's hotmail account through the cracked link and bingo - plenty plenty plenty confidential info forwarded from his work address as he is on vacation.
:->
Fsck, this is serious.
I see the cgi prog is no longer at the 2038 URL
trolling the first world...
Logging in now is a BAD idea.
Microsoft is obviously aware of the problem, and their lawyers will hunt you to the end of the earth.. nobody can get into Hotmail except for those who hack in. This is an *easy* way to keep track of IP's that break in.
It's too late for me but maybe not for you..
Hi. I tried this with some ID's from friends. I got through on one, but after that I got accesss forbidden (403). Has anyone tried twice? Or more than one acct. from the same IP, or did they fix it?
Don't know how, but it looks like their re-directing the re-direct to a new address.
I looked it up on www.netcraft.com.
The webserver, at least, is:
www.hotmail.com
www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD
It worked w/o a password on my own account. I was too fearful to try any others.
The site just went down. And by that I mean www.hotmail.com. Lucy, you got a lot of 'splaining to do!
Well, the pages I've been using have just now started to be refused by HotMail. Looks like they had to take down the whole hotmail site to fix the problem; I wonder how long that will last! I can't connect to www.hotmail.com, or via the "crack", it seems.
:-)
Or are they just refusing traffic from my site?
---ZahrGnosis
I did a trace route and found that the route to hotmail seems to be down.
bordercore1.Sacramento.cw.net [166.48.188.1]
Can anybody confirm?
The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data.
The Site is gone already... Pointing you towards MicroSlut's Wall of Shame Page, I mean their security holes page... [grin]
If I'm right isn't hotmail.com running on UNIX? that figures. UNIX has more holes than an old womans underware.
hmm, how about all those "send password via email" websites.. Wonder how many let you see their members id & email address.. (ICQ??)
LynxSSL. I encountered this when M$ yelled at me for not using SSL. Oh well. At least I now have 128-bit lynx courtesy of replay.com =) ... because of SSL, when you use the crack, no-one will know what account you're cracking *grin*
With the new Hotmail it's sooooooooo more secure
=) d
"Bastard Operators From Hell" is an anagram for "Shatterproof Armored Balls". =)
Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here to see the MS FUD on "Passport Security".
sort of auto-linking abusing the url.
Just keep in mind that other programs don't have to come from MSFT to be coded badly. Remember the bad ol' days of Sendmail popping up on BUGTRAQ every so often, along w/ imapd and wuftpd? So switch if you like, but don't get too complacent and neglect to lock down a critical box.
You can have the safest OS in the world, and still have lousy security if a single privileged, network-accessible program is written with the slightest bit of carelessness...
Only the dead have seen the end of war.
I believe the Finnish server you were referring to was an anonymous remailer service at anon.penet.fi; one that, if memory serves, anonymized both ways (one could anonymously send mail to a user of the service, as well).
Word is, that the service was shut down after the judicial system was used to disclose account information, after the Church of Scientology went after a disgruntled ex-member who was using anon.penet.fi. However, that might only have been possible since it was a remailer service, and thus had to know about the actual e-mail address if memory serves. Thus, the real (non-anonymous) account could be revealed.
Web-based system might change that, if the admins -- and users -- actually care about security and anonymity. Hotmail clearly does not, as it puts IP addresses in mail sent via itself -- addresses that could point to a whistleblower's work machine, for instance, and it also requires a bit of information for registration.
Only the dead have seen the end of war.
Here's a little problem I've noticed (including relating to the recent ProFTPD root exploit).
:-)
People think they can get away with strcpy, or sprintf, or similar. This is wrong. You should ALWAYS verify the amount of data copied, wether it be to a fixed sized buffer, or a malloced region.
strncpy, and snprintf are very, very good ways to secure your code from the start.
But this is often disregarded! Agh! Pascal and Basic make people soft about how they handle strings, because they encode length in them and use their buffers in a way that seems logical at first, but is very holey when it comes to actually implementing things.
Strings in C != hard, if you can accept the ideas of pointers, string library functions (I like the abstraction), and general good coding techniques
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Yes hotmail runs BSD/Apache, but MS bought it. It's most likly the code and MS IT managers should have seen the security problems and addressed them.
But this is also a problem with IT managment everywhere. Sys admins typically tell IT managers everything that needs to be done (backup, security, etc.), but IT managers are reacting to poor business practices of the marketing/sales people, and ignor problems util they happen.
Not necessarily. Ms didn't invent Hotmail, probably did not improve it, and may not even have changed it.
I strongly urge you (for a laugh) to take a look at billgates@hotmail.com, bob@hotmail.com, and xxx@hotmail.com.
Gates sure likes his pr0n...
anyone got a link? plus i guess it was just a software fault, nothing else... right? sloppy programming (m$ style) and people that had time to track it and exploit it...
...sie sind nicht grün
nevermind... it is too dangerous
let's wait for ms to plug the hole
...sie sind nicht grün
a lot of people used it and it works fine... like getting to admin@hotmail.com.. and any other existing account
...sie sind nicht grün
so what am i supposed to do if i have an account with hotmail and i have sensitive information there? any suggestions? i guess all i can do at this point is delete everything remotely important and pray that no one that would be interested will logging to look at my account.
[btw - i do not have an account with hotmail, but a lot of my friends do]
...sie sind nicht grün
it is working.. just heavily ./'ed
...sie sind nicht grün
just wondering what microsoft can do with the domain owner that posted it?
...sie sind nicht grün
i think the problem was more closely related to msn instant messenger than to msn passport (both were introduced to hotmail members recently). msn im tells you when you have mail, and lets you go to your inbox or specific messages by opening a temporary .html file on your computer that redirects you to a specific hotmial url. the first version actually put your password in that temporary .html file, but that was fixed. today, i wasn't able to use that feature of msn im. i got the same error as when i tried to access my account through the 'crack' page.
.html file containing your password too hastily?
perhaps the problem was that they implimented the fix for the temporary
The shareholder is always right.
Anyway, thank God I ditched Hotmail a long time ago...
ufdraco
Hotmail is DOWN!!!!!
It runs on Solaris and FreeBSD.
You people piss and moan about FUD, then you spread it yourself by spreading the incorrect notion that Hotmail runs NT. It doesn't, idiot.
-witz
Well, this one works.
:)
http://area51.slashnet.org/~drw/hotmail.phtml
Or at least it used to, they may have fixed it by now. I went in and looked at three people's accounts with my own two eyes (including mine), so I know it works. Unless they download every single hotmail account to fake, this is/was a real exploit.
Apparently it was a screwup on the part of whoever programmed that part of the CGI running Hotmail. I'd love to know who made that mistake.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Has anyone tried sending email? I just logged into a friends account using this exploit, and sent myself an email using his acccount. It showed up here at my ISP's server.
This is really really really bad. What can't you do with this?
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
The index.cgi program that drives the crack just got pulled. I think all of us here beating on it got the attention of the sys admin at 2038.com.. ;-)
Take care.
Polymorphism -- It's what you make of it.
If you ask me, MS has made Hotmail a much better service... too bad for the angry, bored geeks who must crack everything MS. If Red Hat bought Hotmail, nobody would've thought of cracking it.
And if Passport was Open Sourced (whoever said this should be shot, IMHO), EVERYONE would know how to hack it. My God man.
-AstralM
Jeez, I don't get people slamming M$ for browser compatibility. I'm sorry, but if I'm M$ I could give a rat's ass if my pages work in Netscape, except the one that let's them download IE.... And if I'm netscape, I don't care what my pages look like except the one that let's em download Netscape..... sorry foks, that's business...
I LIKE hotmail.... the new OE 5 lets you access that common web-based mailbox from right within your email client. I think it's pretty slick.
DO NOT DISTURB THE SE
after you put in someone's name, it can't locate the cgi... it's been taken down definitely now. not just /.ed
Before we start going ape on Microsoft (I'll be the last one to defend them, though), has anyone actually used the crack and got it to work?
I just tried it with a few peoples hotmail accounts I know and IT DOES SEEM TO WORK.
Make sure nothing important is on hotmail.
Wow.. this is scary.
The URL works, how ridiculous.
This is obviously not an OS issue, as many have so eagerly assumed, this is egregiously bad application design.
If Microsoft was smart, they would shut Hotmail down until they can fix this stupidness. This hole is big as a barn door, and now that the cat is out of the bag, I can only imagine the grief that some unsuspecting Hotmail users may be in for.
*sigh*
Is it just me, or has a redirect been setup at the 2038 site? It's pointing to Microsoft Security Advisor. hmmmm.
Ok, this company needs to be squashed and squashed hard. I started using hotmail before it was MSN Hotmail. I chose hotmail because it was free, low on advertising, and I could access it with a text browser (this was before I had my own pc and used a library terminal). Then Dr. Evil came into the picture and f*cked everything up. One of the first "enhancements" they did was take away my Lynx access. That pissed me off royally. Now, every (ahem) 3l33t haxor dood with too much time can use my Mastercard #. Screw Microsoft. Hotmail was fine until these losers showed up. To Mr. Gates... If it ain't broke, DON'T FIX IT!!!!
_.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._
ASCII art?? I thought it was a REGULAR expression
I read in a swedish newspaper (www.aftonbladet.se) that HU will hack Hotamail again today.
Aftonbladet writes that microsoft only has secrured one of the 6 servers witch don't check the passwords, and that they gonna "crack" another one today. I'm looking forward to this......
(If only ppl could learn the difference of HA/CRA -ckers)
To be continued i recon.......
If you'd taken the trouble to check out our website, you'd know that our code is developed in Anguilla, BWI and our bandwidth is served out of Canada, so we are not subject to U.S. laws regarding encryption. Otherwise, logic should have told you we would have been shut down months ago.
I missed it.../me starts to cry.
Since my account was hacked using this method, I'm screwed. And its the centre of EVERYTHING! My web site e-mails me the password of it when I forget it etc.. I REALLY REALLY REALLY need to know if there's ANY way to hack it at all? (not including a fake login page or something) by the way, Its prool@hotmail.com, reply to p_rool@hotmail.com if you can find it in your hearts. And i'm 12 by the way.