here an example from 2001 and they're have been more recent ones/ one within the last 6 mos
http://www.cgisecurity.com/archive/m...les_emails.txt
Printable View
here an example from 2001 and they're have been more recent ones/ one within the last 6 mos
http://www.cgisecurity.com/archive/m...les_emails.txt
Well, Ive never "hacked" hotmail... But I know someone who knows someone who works at hotmail and he logged all users that logged in on a specific server and gave us the usernames/passwords. Be careful where you log into =]
http://slashdot.org/articles/01/08/20/2132207.shtml
http://www.theinquirer.net/?article=438
http://www.pcworld.com/news/article/0,aid,16664,00.asp
EDIT Tedobs link is broken, so here it is too.
http://www.cgisecurity.com/archive/m...les_emails.txt
looks like it can't be linked too. this has been fixed long ago but FYI:
Date: Sat, 18 Aug 2001 14:31:17 -0700 (PDT)
To: [email protected]
Subject: Hotmail message view exploit
Reply-To: [email protected]
X-Originating-Ip: [206.102.26.139]
exploit lets you view e-mails from other peoples acccounts
---=[ Three Steps To View Someones Emails In Hotmail ]=---
(Tested with Internet Explorer 5)
To view full email from some elses account do the following:
1. Login normally to Hotmail with your ID (any id)
2. Use this type of link to view specific message from specific user:
http://pv2fd.pav2.hotmail.msn.com/cg...2fgetmsg&hm___
qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26domai
n%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com
or
http://lw14fd.law14.hotmail.msn.com/...n%2fgetmsg&hm_
__qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26dom
ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com
From that link change values:
From that link change values:
MSG943322803%2e16 (Message id number, its simply a counter. %2e=.)
username (Hotmail account name to view)
(remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
(remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)
3. Done. If you entered correct message number & that user has it you will see it. :)
(Test it with your own other hotmail account messages first to get the idea working.)
---=[ ideas and comments for improved viewing / scan ]---
Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
logged in hotmail when you want to view messages..)
It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:
MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0 arrived on 04.12.2000.
So you dont need to scan as many message addresses
when you know from which range you are looking at.
(Check out Hotmail Scanner Bot aka. hobo for automatic scanning.)
Test messages: (Login to hotmail,then use links to view message from my test account)
raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cg...etmsg&hm___qs=
%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26raw%3d0%26login%3djokutesti99%26domain%3dhotmail%2ecom
email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cg...etmsg&hm___qs=
%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26login%3djokutesti99%26domain%3dhotmail%2ecom
---=[............ Research by wAwAsAn4 ..............]=---
---=[........... [email protected] .............]=---
---=[................. 17.08.2001 ...................]=---
www.root-core.com
==
[Digital-Vortex]
Webmaster
www.root-core.com
_____________________________________________________________
[Root-Core] - [www.root-core.com] - Free E-mail
I havent heard of anyone actually hacking the hotmail boxes but just seen exploits sent to me where when you open an email it spawns a new webpage that looks like the hotmail page that asks you to reenter your password. so then when you reenter it the code on the webpage emails your password to whoever wants it. blah blah they can now access your account. anyway, this is not an idea for people but more of a heads up about kinda an exploit. so if you ever get that please reenter your email page just close out of your explorer completely and reopen and rego to hotmail. thats the only way to be safe.
Key logger I would think is the best to hack in hotmail.
If other know better ways, Please add.
Nice articles all. Thanks. :)
Whenever I heard about "hacking" hotmail, it mostly was about social engineering. Sending someone a fake hotmail page, or deploying a keylogger when people have physical access to the victem's pc.
I bet the entire MSN passport system is still full of holes, and that its just a matter of time before they are discovered. I mean, as a webdeveloper, I've seen some MS-made things, and they all look very messy. Like, dont those people have coding standards or something?
I also think that there prolly is an exploit somewhere in that hotmail login URL somewhere. Some nice XSS could find that out. Just a matter of time, again. Maybe i'll give it a go, ey. ;)
Anyways, you know of any more articles out there? I'm particulary interested in the responses from microsoft. Hehehe.
Greetz.
I'm sure it is. If you read 2600, their current issue has a hacking m$ passport revisited.Quote:
I bet the entire MSN passport system is still full of holes,
After 2600 published their first article... m$ did something about it... but not much.
Pretty cool article though. Helps you understand why you shouldn't use cookies for authentication...
SickDwarf,
After reading the info provided by all of you here, I realized .... dang .... that I was wrong and too quick in judging. These posts was indeed valuable info.Quote:
You're right about this one, it's very obvious. => Wasn't this in the FAQ's as a nice example how not to post ?
My apologies,
Yeah, its like you say "hotmail" and "hack" in the same sentence and people start flaming you.
God forbid us mature, rational people can have a real discussion.
Well hacking hotmail is stupid i think because who wants to read other peoples e-mail. If your that despret to find out someones password to say aim they could just change it. And anyways why would u want to read e-mail that is not about you. And if u tried to do something to hotmail most likely they would catch you. But i think u make a good point.