Hacking Hotmail...sorta

Printable View

May 19th, 2003, 07:02 PM
meloncholy

Hacking Hotmail...sorta

**disclaimer: I'm not asking how to hack hotmail. I'm just wanting to start some creative duscussions...

I just got done reading the most recent "how to hack hotmail" post and found it amusing. I then looked back at some of the other posts to see what the big deal was. I found it very interesting everyone was quick to flame, and no one was sent away with any useful "hacking" information. Some of the replies I saw were:

1. Keylogger - Not gonna work unless you have physical access to the host. Lame solution anyway. Not the stealthiest way to do something.

2. Social Eng - This works for almost any password hack, and I guess this would work. Not a real technical solution.

3. Trojan - What are people thinking?

Anyway, the thing that was never brought up was cross site scripting. You don't have have to give line for line details on how to do it. In fact, I'm not even sure it would work for hotmail. I just thought that would be a good attention grabber to discuss it and in theory if it would work.

For those that don't know, a cross site scripting vulnerability is a vulnerabilty that allows "bad guys" with a malicious web site possibly access to the cookies on your machine.

So here's the scenario: You are evil hacker child and wanna get the guy who just looked at you the wrong way. You craft a special web site just for him The web site will contain a few basic scripts (this is the part you have to research to learn a bit). You send him an email with the "bad" website. Once he clicks on it and runs your script, viola, he is now sending you whatever you want (user provided info, cookies, ect). In theory this sounds like this would work for hotmail. You might say well, hotmail is pretty slick, they encrypt thier cookies. Thats ok. You don't have to decrypt it, just cut and paste into the browser and that should do it.

Anyway. This is a pretty sloppily written example (my own random ideas). The idea was to get some new discussion going on this site (for the people new to security and vulnerabilities). I don't have any desire to "hack" hotmail so I have no idea if this would work...but in theory it sounds pretty good.
May 19th, 2003, 07:16 PM
alittlebitnumb

A long time ago when the dinos roamed the earth, there was a hole in the Hotmail servers. Sombody successfully hacked it and ever since then, everybody wanted a peice of the action especially when sites started posting the ways people actually did it. There was a decent write up about it on Rootshell, and looking at Google, the site seems defunct. Ow well.

Anyway, there was another trick people used and that was via fake login trojan sent e-mail. This trick has all but vanished with MS's new login screens, secure tunneling and redirects it may still be able to be done, but that would be a major feat.

To this day I still wonder why so many focus on just Hotmail. If you want to access personal information illegally that badly, why not make it worth the time Bruno is gonna rape your ass every night with a knife to access something like a Bank database, credit card numbers, or a server with lots of neat confidential goodies? If I were an evil hax0r, I would not waste my time with Hotmail. I use it for garbage. I bet many others do too.

Just a thought.
May 19th, 2003, 07:56 PM
meloncholy

OK..my bad. It was dumb to post about cross scripting. It is talked about sooo much in this discussion board. Who am I to get people thinking. Neg away!

If I got negged because this isn't a script kiddie solution, oh well. Guess we know who populates this board.
May 19th, 2003, 08:04 PM
Tiger Shark

Correct me if I'm wrong..... Never used Hotmail or any other of those "free" emails.... I'm a L33t "host my own" type...<s>

Hotmail would still require you to provide the password, the cookiw only really holds info on your preferences. If this is the case then you still need something other than the cross site script to get what you want......
May 19th, 2003, 08:17 PM
meloncholy

Actually...any fields where user input is required can be stored as a cookie..."can be". If you use hotmail, everytime you come back, the username is already inserted...this is because of the cookie. If you go to your cookies and delete the one for hotmail, you will notice the next time you log on this will be gone. When you enter your password I believe a cookie is set for that session. I have tested this theory on my own web server (just a test page I created with a username/password filed) , but not hotmails. Like I said, I don't plan on trying hotmails, but in theory it "may" work. If its just a unpatched vuln in the web server it probably won't work...Hotmail will be up to date on all the patches. I tried this on a pretty naked IIS server.
May 19th, 2003, 08:41 PM
Algaen

The winter 2002-2003 issue of 2600 has the "details" on how to do the cross-site scripting to grab someone else's passport cookie. It's pretty scary that it could happen to a user without them even knowing. This is just one more reason to not use auto-login on web-based applications (since passwords are stored locally in cookies).
May 19th, 2003, 09:07 PM
Tiger Shark

Mel: Yeah, but the password is still required and is not held in the cookie...... Or am I being dumb?
May 19th, 2003, 09:25 PM
Tedob1

up until very recently this worked:

register.passport.net/emailpwdreset.srf?lc=1033&[email protected]&id=&cb=&[email protected]&rst=1

preceeded of course by [http://]

Tiger Shark before they patched it the cookie was all you needed
May 19th, 2003, 09:45 PM
ednos

Recently?

as far as I can see after testing it, it still works

[gloworange]--Andrew Hills[/gloworange]
[pong]Sir Ednos the Great[/pong]
May 20th, 2003, 12:00 AM
valhallen

what about using the fact hotmail allows users to view html formatted emails? I know there used to be an exploit where with the right java script embed in the email you could force the victims browser upon opening the email to open up a dif page inside the same browser window....this could of course be used to display a replica of the hotmail re-sign in page - except instead of sending the username pass to the hotmail servers and loggin u back in it would email the suername/pass to who-so-ever had created the fake page and then send you back to the page you had come from making it look like u had been signed back into ur hotmail account (even tho in reality u had never signed out)
this as well tho I think has been fixed by hotmail who have now disabled the java script function when viewing emails.......

theres always going to be bugs/holes but the biggest ones aint caused by bad software/admins but by the stupidity or gullability of people using the service.....

point in case :::

a somewhat old trick went something like this and use to be found posted on the likes of blackcodes forums and the like......

Want to hack hotmail??

send an email to [email protected]

( notice spelling mistake as hotmail will not allow people to sign up with certain words in name like services, staff etc - this address would belong to the lamer posting the msg )

subject = "pass.reset%bot-send$pass?new"
body =
"pass.bot%send.pass?reset/
'the email address you want the password for'
%^update.send.bot%-user/pass$
'your email address'
%reply-non.email$$new.pass-send
'you password'
$reset?new.pass=my.pass

As you can see very lame - just a trick to get people to send their own email/pass to some fake address with alot of crap thrown in so that they think it actually does something.....anyone looking at this can see its just a pathetic attempt at social enginering but it works.....proving the stupidity of some people......

another point in case.......

the constant messages on some IM packages - something like....

Quote:

||insert IM messanger name here|| staff will never ask you for your password or credit card details

these kind of warnings are needed as people would get msg'd by [email protected] or something similar who feeds them some non-sense about the mainframe going down in the middle of a billing cycle and they are unsure of which people have been billed and which have not as the crash caused some usernames & credit card details to get jumbled......could u just confirm your credit card details and password to ensure we dont double-bill you......or something along those lines.......the fact that they now display warnigns about such behaviour must show that before those warnings were put in place that alot of people must have been suckered in this way

right well I think I have gone off on my own lil tangent long enough :)
also all exploits (well they aint even really exploits) mentioned above are all very old and well documented so pls with-hold your

stop feeding the lil skript kiddies

feel free to neg just make sure its witty or at least abusive to the point of being comical - everyone needs a laugh every now and then ;)

v_Ln
May 21st, 2003, 09:42 PM
sectac

the problem with CCX exploits is that no one besides them knows how their system is running, and its very hard to grab passwords from the servers when you have no idea where files are, how many db's are keeping different servers, the drons keeps massive logs, to really get into hotmail, you would have to either, 1 exploit their acctual servers, by bypassing their frontend, or 2 finding a password bot vuln, all other things are stupid and lame, and only morons fall for