Results 1 to 7 of 7

Thread: Hacking Hotmail

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785

    Hacking Hotmail

    Most of us are aware on the insecurities in using cookies for logon. looks like MS isn't, or just dosn't care. If you have a HotMail accout thats been compromised and manage to change your password, anyone in possession of your hotmail cookies from before the pwd change, still has full access to your account.


    MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and apparently being exploited.

    The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.

    "What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in," said Eric Glover, a New Jersey-based programmer who has a doctorate in computer science from the University of Michigan.

    Glover said he unearthed the Hotmail cookie problem when a friend's former boss started accessing the friend's Hotmail account -- and continued to use the account even after the pal repeatedly changed her password.

    After studying Hotmail's sign-on process, Glover concluded that the snoopy manager likely had grabbed a copy of the Hotmail cookies from the friend's work computer or a back-up tape and had been using them to digitally unlock her Web mail account.

    Microsoft officials said Thursday that the Hotmail service offers users several tools to limit what the company terms "cookie-based replay attacks" but added that Microsoft is "always looking at ways to protect users further, as well as giving them more control over their online experience."

    Security experts, however, said today that the Hotmail vulnerability exposes the risks of relying on browser cookies as the digital keys to Internet sites.

    Cookies, the small data files placed on an Internet user's computer when visiting websites, are primarily used to identify visitors for the purpose of customizing content such as advertising. But many sites, including Hotmail, also rely on cookies for more serious authentication purposes.

    For such sites, the cookie is akin to an ATM banking card that doesn't also require the holder to provide a password. Lose the "card" and you may give up your security.

    "Cookies were never designed to be an authentication mechanism. But anyone trying to deploy a Web application today doesn't really have much choice," said Marc Slemko, a Seattle-based security expert who has previously discovered cookie-related security problems at Microsoft's Passport service.

    Without physical access to a PC, how big a hurdle is stealing Hotmail cookies? "Trivial," said Slemko, who pointed out years ago how cross-site scripting flaws can be exploited to perform attacks such as pilfering cookies.

    What's more, security bugs in Internet Explorer make robbing a remote user of his Hotmail cookies a snap, according to Thor Larholm, a Danish programmer and security specialist who has compiled a list of IE browser flaws, many of which allow cookie-snatching exploits.

    "I would say that a malicious programmer's day-to-day chances at successfully stealing the target's cookies lie between very easy and easy," said Larholm, noting that browser cookies are stored unencrypted and in a fixed location.


    read more:

    http://www.wired.com/news/technology...,52115,00.html
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    A good argument for deleting your cookies afer your online sessions. Does it bother anyone else here that exploiting a flaw like this is a crime (as it well should be) but creating it isn't? Firestone makes tires that blow up and they wind up in a costly legal mess. GM made a car called the Corvair that was pulled from the market because it was "unsafe at any speed". Microsoft decieves the public by shrink-wrapping turds and promising they won't stink, yet stink they do with absolutely no negative ramifications. It's starting to look like the software industry needs it's own version of Ralph Nader.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  3. #3
    Member
    Join Date
    Apr 2002
    Posts
    97
    An excellent point allen. What is stopping people from filing lawsuits against microsoft for losses? Why can we sue firestone and not microsoft for creating dangerous situations? Is it because Microsoft can patch theres? Well Microsoft can't patch the program until the exploit has been discovered, which has left us all open to security risks with no chance hope of fixing them ourselves until microsoft decides to fix it for us.
    The radiance of ignorace in a world of nothingness and all of this time your pestilence has created nothing but uselessness

  4. #4
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Originally posted here by imaginedsanity
    An excellent point allen. What is stopping people from filing lawsuits against microsoft for losses? Why can we sue firestone and not microsoft for creating dangerous situations?
    It's called a EULA....and IMHO it is a practice that needs to be investigated and regulated to protect consumers. Just my .02
    Al
    It isn't paranoia when you KNOW they're out to get you...

  5. #5
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Ouch. You'd think they at LEAST would have a time limit on the validity of cookies, making users log in at least once a month or something.

    About EULAs... I'm in favor of any legislation on EULA Lemon Laws.

    Let's have a Lemon Law on giving vendors total unfettered access to your computer in a EULA. (MS Media Player Patch EULA...) Even if you click 'I agree', that part of the EULA is nonbinding.

    Okay, so maybe that kind of use is not 'technically' a lemon law, given that it is a thing about product licensing, rather than the product itself, but whatever.
    [HvC]Terr: L33T Technical Proficiency

  6. #6
    Member
    Join Date
    Apr 2002
    Posts
    97
    Good point allen...my mind must be functioning sub par today, because the thought didn't even cross my mind. I apoligize for the ignorant thread. And I agree about the EULA lemon law...that's an excellent idea.
    The radiance of ignorace in a world of nothingness and all of this time your pestilence has created nothing but uselessness

  7. #7
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,207
    I feel cookie stealing is one of the most under-rated security risks out there. Holding Microsoft accountable would be nice especially since this is a perfect demonstration of gross incompetence. What worry’s me the most is people who use public computers in schools and libraries. Basically any idiot can set the browsers to automatically accept cookies come back in a few hours and see how many hotmail cookies are just sitting there ripe for the picking.
    Its not software piracy. I’m just making multiple off site backups.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •