Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotmail Cracked Badly

Posted by ryuzaki0 on from the protect-your-asses dept.

Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)

9 of 441 comments (clear)

  1. Before anybody starts crowing ... by Anonymous Coward · · Score: 4

    1) We're not told in this story where *exactly* the security hole is (in which part of the system)

    2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"

    So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.

    Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.

  2. Re:Blammo! by Gleef · · Score: 5

    Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

    Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.

    ----

    --

    ----
    Open mind, insert foot.
  3. DING by drwiii · · Score: 4
    Here's my mirror of the exploit

    Sorry, Billy. Really.

  4. Security and platforms by Oestergaard · · Score: 5

    I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.

    It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.

    Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?

    Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.

    One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?

    We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.

  5. Re:The address by el_nino · · Score: 5

    Oh well...

    http://www.2038.com/hotmail/
    %japh = (
    'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
    'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

  6. Nature of the exploit by bgarrett · · Score: 5

    I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).

    Remember, Hotmail uses both Solaris and NT in various capacities.

    --
    Nothing worth doing is worth doing today.
    1. Re:Nature of the exploit by dirty · · Score: 4

      From what I've seen basically Hotmail trusts a certain URL to be accurate w/o doing any verification of the password. This isn't an NT issue or a Solaris issue or any other OS related security hole. It's just bad programming on the part of whoever wrote the offending code. Whether it was MS who messed up or the people who originally wrote hotmail I wish I knew.

      --

      -matt
  7. HOW IT WORKS. by Mr+Z · · Score: 5

    Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:

    http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login= username &passwd=eh

    In other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.

    --Joe
    --
    --
    Program Intellivision!
  8. Secure Web mail by Enoch+Root · · Score: 4
    I find it amusing that it would come to this. Hotmail keeps saying in TV ads that they're "perfectly secure and private" because they prompt you for a PASSWORD when you try to access your mailbox. Whatever means was used to crack Hotmail, I think it's a good thing. It will make people realise a system is not secure because the company hosting it says so.

    This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)

    On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail for Email with a real security. At least their encryption isn't just XOR-based. :)

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."