Slashdot Mirror
Hotmail Cracked Badly
Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA
number in it, I'd think twice about it ;)
Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:
I VE&js=no&login=ENTERLOGINHERE&passw d=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
replace ENTERLOGINHERE with the account you are cracking.
This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.
1) We're not told in this story where *exactly* the security hole is (in which part of the system)
2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"
So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.
Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.
Why should I prove somthing I never said? I said that MS marketing people have often mentioned they'd like to increase NT's presence at Hotmail, not that there are plans for wholesale conversion.
In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).
----
----
Open mind, insert foot.
$ nslookup
> 207.82.250.251
Name: wya-pop.hotmail.com
Address: 207.82.250.251
> set querytype=any
> wya-pop.hotmail.com
wya-pop.hotmail.com preference = 20, mail exchanger = mail.hotmail.com
wya-pop.hotmail.com internet address = 207.82.250.251
hotmail.com nameserver = ns1.hotmail.com
hotmail.com nameserver = ns3.hotmail.com
hotmail.com nameserver = ns1.jsnet.com
mail.hotmail.com internet address = 216.33.151.135
ns1.hotmail.com internet address = 207.82.250.83
ns3.hotmail.com internet address = 209.185.130.68
ns1.jsnet.com internet address = 209.1.113.3
----
----
Open mind, insert foot.
Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.
Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.
----
----
Open mind, insert foot.
Sorry, Billy. Really.
What are the implications of this regarding the
Microsoft Passport programme? From hotmail.com:
Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!
That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.
Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!
Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?
And, even if the admins of Hotmail don't read Slashdot or other tech news sites, the massive surge in activity, PLUS the massive surge in accesses of mailboxes should have rung alarm bells from Hotmail to Antarctica and back.
If THAT weren't enough, the admins must be aware of a huge increase in the number of people accessing via a single machine, and via a single method.
If that STILL weren't enough, they must have been notified by now that something's going on.
Finally, if complaints, surging activity from a single computer, news everywhere of the hole, and a massive increase in the use of Passport, were not enough to pull the plug, I'm sure journalists read Slashdot and some may have phoned Hotmail for a comment. System cracking is still news, even these days.
Yet, despite all of this, Hotmail still has that security hole wide open. *SIGH* That is astonishing.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There are a lot of people who were doing illegal things through Hotmail who are potentially under surveilance through this insecurity. I don't really care about them. (I'm not talking about the person who occasionaly forgets that Microsoft Word or Quake 2 or whatever is a commercial product, but more the people who put up a tonne of stuff and use it to generate money whether through banner ads or subscriptions) I am concerned for the people who wanted anonimity for legitimate reasons. Maybe they were anonymously subscribed to sexual abuse survivor mailing lists or online support groups for the differently gendered.
A lot of people are going to state that these people were stupid for relying on a Microsoft service, but where are they supposed to go? It isn't stupidity so much as a lack of education. This is compounded by the people who are technically capable of doing the educating. Too many of them are too busy looking down at the unwashed masses to communicate the options and hazards involved with the various options.
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile) which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
There are probably others (I don't use anonymous email myself, I do use services that allow me a perpetual email address for non-critical stuff, like providing head hunters a consistant address)
but the only thing you really hear about are Hotmail or Lycos etc.
I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.
It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.
Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?
Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.
One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?
We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
Anonymous Coward writes
/. these days).
How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)
I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts
Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.
Btw, someone want to moderate up that (intelligent) AC comment?
Do you have a
Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.
Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?
Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
Looks like it is gone now- could anyone describe it?
-luge
IAAL,BIANLY
I take that back. Holy crap indeed. Thank goodness for free school email (not that it wasn't cracked in January, but whatever...)
-luge
IAAL,BIANLY
Perhaps this is obvious, but this is not just a stolen password list. I changed my password on Hotmail, and the crack URL still happily lets me in.
I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).
Remember, Hotmail uses both Solaris and NT in various capacities.
Nothing worth doing is worth doing today.
> I block anything from Hotmail anyway, since only
> spam ever comes from Hotmail, so who cares?
The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.
Here's my procmail recipe which does just that:
:0 H:
* ^(From|X-From-Line|Return-Path):.*hotmail\.com
* !^X-Originating-IP:
junk
2 dashes and a space, or just 2 dashes?
It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.
--Joe--
Program Intellivision!
Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVIn other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.
--Joe--
Program Intellivision!
This is one reason why I avoid web mail. I prefer pop3 where the mail only sits on the server for a short time, and is then pulled down to my own system.
Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.
Of all the comments I've ever posted, this is definately one of them
In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.
Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
First off it's solaris/bsd not NT. Second, it's not an OS related security issue at all. It's just sloppy programming in the hotmail setup itself.
-matt
substrate wrote:
A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile)
anon.penet.fi, yes. Read the story of its demise.
Key details not found there (unless you poke around some) are that the court case involved anonymous e-mail sent by a critic of the Church of Scientology, a lawsuit brought by Scientologists in Finland against Julf, and the subpoena served on Julf by reluctant Finnish police. Julf had simply hoped this day would never arrive; when it did, somewhat more quickly than he had expected, he was caught off-guard. Since he realized that he did not have the resources to protect the users of the service, he closed it.
which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.
Julf did a great job with anon.penet.fi, but let's not oversell it. The anon.penet.fi did nothing more spectacular than remail your text with its headers. There were instances of the service being spoofed, accidentally revealing addresses, and being abused by someone with prior (social) knowledge of the real e-mail address associated with an anon.penet.fi address. And in the end, it all boiled down to Julf: did you trust him? He was honorable, but that wasn't guaranteed.
Nevertheless, many thousands used the service mainly because it was the easiest anonymizer to use. And yes, as many security geeks pointed out endlessly, the ease of use made it more vulnerable than other systems.
lake effect weblog
{Network engineer in Chicago--looking for work!}
The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot. [snip]
Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."
Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of
You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.
WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog. Fortunately ZDNet is reporting that "a simple HTML script" (long way to say "URL") could also thread the security needle.
lake effect weblog
{Network engineer in Chicago--looking for work!}
miyax writes:
If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service.
Uh, actually, no. That should read "to any badly-programmed web-mail service". See, they didn't invent some gosh-darn super-duper smart-agent neural-net jacked-into-the-matrix hack; they found out that Hotmail hadn't locked all the doors, that's all.
(Sadly, that's pretty much the case with ANY system cracking.)
lake effect weblog
{Network engineer in Chicago--looking for work!}
See for yourself.
I hope nobody else thought I was accusing FreeBSD of being insecure! It just sounded like Bendawg thought Hotmail was running on top of Windows. Er, maybe not. Whatever. Bottom line is, MS can make anything insecure.
Well, I saw it coming. I was never a friend of web based freemailers, anyway, especially not hotmail. However, it would be interesting to know more details on this hack. Is it just a hotmail problem? What about other freemailers such as yahoo? is there some official statement by hotmail? Inquiring minds would like to know.
Well the how seems "simple"... it's a security hole. In the URL that the little script generates, you can change the password=eh to pasword=xxx, or whatever, and it still works. You can also change the user account name to some other account name and it still works. In Fact, you can have an empty passwd= part in the url and it works....
So basically what think this is, is simply access to a machine that normally users only get directed to once they've gone through the login process. Also, normally the parameters in Hotmail's URL's are encoded or something, but I wouldn't be surprised if what we see encoded in normal Hotmail access decodes to the URL type syntax this script generates.
I just wonder what a CURMBOX is...
If this is true, it just took someone to decipher the url encoding, and voilá.... and knowing MS, it's probably ROT13 or something.
It's still working... I can't believe something like this is possible - and it's not even /.'ed :)
Why don't MS just block requests from the referring host in question? How hard can it be?
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
no kidding...
lets face it - security holes pop up on all platforms, *nix, windows, whatever. the key is how a company responds to the holes and m$ doesn't seem to have learned that lesson. they figure they can keep everyone in the dark for as long as possible.
the same thing happened with the big iis hack a couple of months ago
---- There is a fine line between sayings that make sense.
Hotmail doesn't disconnect their service like eh.... right now seems a good time! I mean... this seems like the sensible thing to do now...
...without actually looking at a real person's mail, just use one of those addresses you get spam from. pplegal for example - it's full of bounced spam, of course.
This was the headline of a tabloid here in Sweden this morning. Though at the time I assumed it was just more Internet FUD. Could it be that we are finally seeing public awareness to network security??? Hopefully we can smudge Microsoft over this story in in the popular press.
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
-
but made less funny by the fact that they don't run hotmail on MS-ware, as of the last I heard.
Yipes!
Geeky modern art T-shirts
This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)
On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail for Email with a real security. At least their encryption isn't just XOR-based. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here to see the MS FUD on "Passport Security".