Slashdot Mirror
Hotmail Cracked Badly
Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA
number in it, I'd think twice about it ;)
Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:
I VE&js=no&login=ENTERLOGINHERE&passw d=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
replace ENTERLOGINHERE with the account you are cracking.
This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.
1) We're not told in this story where *exactly* the security hole is (in which part of the system)
2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"
So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.
Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.
Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.
Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.
----
----
Open mind, insert foot.
Sorry, Billy. Really.
There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.
It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.
Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?
Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.
One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?
We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.
Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?
Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).
Remember, Hotmail uses both Solaris and NT in various capacities.
Nothing worth doing is worth doing today.
Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:
http://207.82.250.251/cgi-bin/start?curmbox=ACTIVIn other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.
--Joe--
Program Intellivision!
This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)
On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail for Email with a real security. At least their encryption isn't just XOR-based. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."