Rant: How do I hack Hotmail?

[Geric]

Is it just me or does there seem to be a high frequency of these "How do I hack ___. " posts lately??

[s0nIc]

dem silly kidds are givvin me bad vibes..
*pops the collar of his leather jacket and dusts off his shoulder..*
they're ruinin my aura.. hence ruinin my mojo..

[ccKid]

I find it very disturbing when I see posts asking "How do I hack _____". My first thought is do they have no moral understanding, or is it that they just have no idea of what consequences they could face? Especially considering the new laws that have been passed and others that are in the works.

My second thought is that they must be extremely stupid to come to a site that is based on the concept of IS security and expect someone to give them tips on cracking into some one elses system........makes me ::smile::

ccKid

[Noia]

Hmmm....what is TCP/IP....and How do You hack Hotmail.....?
lol
No seriusly....
What is TCP/IP exactly.....my knowledge of it is kinda odscure.

- Noia

PS: Keep it up

[jezter6]

I guess junior high is out for the summer. 3 more months of this and it's back to a little bit of sanity.

Who cares about hacking hotmail anyways? Who is dumb enough to use hotmail? Ugh...it all drives me crazy. If you're not smart enough to find yourself a pop3 account, you shouldn't be allowed to get on the net.IMHO

[souleman]

Umm, so does that mean you won't teach me how to hack hotmail???? But I really need access to my <girl/boss/brother/parents/own> account and I lost <his/her/my> password.

[chsh]

You know what guys, if these users are as clueless as you (and I) feel they are, they are not going to read this post and grab a clue. The will just write their one-off 'how do I hack XXX' and check back occasionally for answers.

The only thing you're doing here is banging your fists on the table (metaphorically speaking) about it.

Even a sticky at the top of the Newbie Qs forum doesn't stop those questions from being asked.

This is, IMO, while being a laudable goal, will amount to nothing but wasted effort. If you really want to stop people from posting this, talk to JP, it's his site.

[s0nIc]

What is TCP/IP exactly.....my knowledge of it is kinda odscure.

well incase if ur really serious..

go to www.firewall.cx (best viewed in IE)

[ahmedmamuda]

Those intrested in knowing how to hack hotmail accounts, should get "busted and banned"
Most webmails have major security holes allowing people to hijack accounts
from other users. It is then possible to read/destroy emails, and
read/change preferences, and sometimes (like in the Hotmail case) hack into
the user's computer. If someone who is authenticated through the webmail
has access to other web services, it is also possible for the malicious
hacker to use them (that's why a webmail should never be integrated with
online auction/bank account/stock exchange...). This is an old and
well-known issue. But... I want to show that even the biggest companies
have these security flaws, that are easy to find and easy to fix, but they
don't really care about them, and I try to understand why.

I focus here on how three different companies handle these privacy threats:
- Microsoft : software developper, provides Internet services through Hotmail.
- Yahoo! : all activities depend on Internet.
- Vizzavi : a web portal from the big european media group Vivendi Universal.

At this time (April 1st 2002), only Hotmail is fixed, although each company
was contacted more than 3 weeks ago.

This is a special class of security problems since it harms only the end
user, with stealing of personal data like e-mails. The servers of the
company providing this web service are not at risk, because the "hack"
takes place at the level of the user's browser. There is no possibility of
a global denial of service, no money loss, no intrusion detection so no
action required from technical staff... So, from a financial point of view,
there is no need for the companies to put too much money into securing
their web services. But protecting the end user privacy should be a top
priority, isn't it ?


WHAT DO COMPANIES DO ?

Warning: I talk only on the basis of my own experience with these
companies, and I may be wrong...


1) MICROSOFT HOTMAIL [FIXED after 3 months]

- They handle perfectly the relationship with the security community via
[email protected]. Their response time is great (from 10 minutes to 24
hours).
- They have the will to patch this kind of security flaws. And Microsoft
France seems to care about these issues.
- But they don't care enough ! The hole I found was really easy to find out
(they could have find it themselves), and their first patch was bad : from
December 2001 to March 2002, it was possible to steal the e-mails of users
- and much more.

More about this security hole :
I had found a major security hole in December 2001. Because of a flaw in
the design of their "malicious html" filter, there was a "magic string"
that could totally disable this filter when reading an e-mail. This allows
javascript to be embeded in an evil html message (allowing stealing of the
session cookie and reading of e-mails), but more frightening is the
possibility to make the user's browser display any html tag with any
parameter, like IFRAME, OBJECT, etc. It was then possible to send a virus
or hack into the hotmail user's computer, by triggering the security holes
of Internet Explorer.
For more details see vuln-dev:
http://online.securityfocus.com/archive/82/246989
It took only a week for Microsoft to fix that. I published the
vulnerability on Internet.

Three months later, I took a look at it and I realized that the fix for
this public vulnerability had a huge flaw. Fifteen minutes were enough to
see that there were still a "magic code" disabling the html filter ! It
seems that nobody cared to test the new filter. Here is this new "magic code" :
<SCRIPT>
</COMMENT>
-->
I used this successfully to inject a trojan horse into the computer of a
hotmail user running an unpatched version of IE, without knowledge of his
IP adress or anything except his Hotmail adress... I also downloaded all
the emails in his mailbox with 1 line of javascript in an e-mail and a 4
lines cgi script on a webserver. Scaring.
Only two days after I reported it, Microsoft issued a much stronger fix for
this vulnerability.


2) YAHOO ! MAIL [NOT FIXED]

- They don't have any contact adress, only feedback forms. I submitted
three different forms but never got any answer.
- By phoning to Yahoo France, I was not allowed to talk to the right
person. The hotline staff seems not to be educated to care about these
privacy problemes.
- Sending an official letter to them was the solution. When I could talk to
the right people, I saw they had the will to patch the holes, and I now
have the e-mail adress of someone in charge of this at Yahoo.
- But two or three people having a "will" is not enough. It seems to me
that the company itself don't care if these people do a good job with that,
and I also think this is not their main job. It took them 3 weeks to make
correct patches last December... and they patched only one of of the two
holes we found last month. Yahoo does not seem to have set up a policy
about the handling of these "privacy problems".
So, it is still possible to read other people's e-mail on Yahoo...

More on this "new" holes we found (in fact, holes found before on other
websites by other people, but with small changes): it is possible to insert
a "script" tag into an html message by using these tricks :
<_a<script> [fixed]
<<script> (this one was found by BugSan) [NOT fixed]

These codes were sent to Yahoo a month ago and published a week ago in
France (Hackerz Voice newspaper). Why they fixed only the first one is a
mystery to me. I hope this post will help to make them issue a fix very
soon. (since I am not in Paris I don't have the email adress of my contact
in Yahoo France, but the issue is already public, and the users' accounts
are still at risk, so there is a need for a quick fix and that's why I am
posting everything here).


3) VIZZAVI [NOT FIXED]

- They give e-mails adresses for personal contacts on their website
(Vizzavi officials). Good.
- They did not answer to my emails. And the holes are still there. Bad.
- They have a form to report "bugs". But they did not answer.
- Vivendi Universal did not react to the letters we sent three weeks ago.
- No reaction after the publication in France of these security holes : it
is still possible to inject javascript into an e-mail with very basic
things like <b onmousover="...">go here[/b] or [img]javascript:alert(document.location)[/img] (the line break is needed to
bypass a kind of strange filter), etc. [NOTHING fixed]

Unlike Yahoo, Vizzavi is only a portal relying on non-internet activities.
Unlike Microsoft, the other activities of Vivendi are not computer-related.
So, they are probably not used to react to this kind of Computer Threats.


TO CONCLUDE: WHAT SHOULD EVERY COMPANY DO ?

- set up an email adress to report security problems, or add a "security"
topic in their feedback forms.
- educate the hotline staff : these kind of emails/feedback forms/phone
calls should be given top priority, and transfered quickly to the right person.
- have someone who can and WANT to handle these particular kind of security
problems (web and privacy).
- have someone who actively tries to detect old and new security problems
into their web services. Most of the vulnerabilities I can find on many
webmails are either old ones (months or years), small variations from old
ones, or new ones - but always very simple and easy to find out.

Every company now have a website. They all want to put dynamic content on
it, provide web services, attract consumers with a member registration and
non-free services, etc. Dealing with web security and privacy, and the
feedback about it from users, is a necessary pain; they will all have to
define clear policies and contact adresses, think about how to handle
security bugs reports, how to react... Only Microsoft seems to have begun
this necessary thinking.


THANKS TO:
Bipeurs and Bugsan who made an investigation for the newspaper "Hackerz
Voice" (http://www.dmpfrance.com) and found holes in 17 different webmails.
Virus

[ahmedmamuda]

Part2
Everybody is tired in here of those newbies asking on how to hack hotmail accounts, and i wonder why, most of them are intrested in "Hotmail" specifically why not,,,,Yahoo,Aol,, etc.
o>k those intrested in knowing how to hack hotmail accounts , here i got the trick for you.

1) If you want a hotmail account h@cked type HOTMAIL ACCOUNT in the subject. For rediffmail type REDIFFMAIL ACCOUNT and for indiatimes type INDIATIMES ACCOUNT.

2)THE ONLY WAY TO GO INSIDE OTHERS HOTMAIL INBOXES.ONLY U HAVE TO DO IS.....
.....first compose a letter to [email protected]
and in the subject box put Password101,now that u have that in the body of the letter on the first line put the e-mail address you want the password from,THEN WRITE IN BRAKETS YOUR OWN EMAIL ADDRESS.....THEN PUT AN ISEQUALTO SIGN eg. (=) AND AFTER THIS WRITE UR OWN PASSWORD...AND I GURANTEE THAT U WILL GET THE PASSWORD OF YOUR TARGET IN 35 MINUTES.I GURANTEE THIS...I HAVE HACKED MANY MANY EMAIL ADDRESSES LIKE THIS AND IT HAS BEEN MY LUCKY CHARM AS WELL..GO AHEAD GIVE IT A TRYY!!!!:-)

3) you can also do this!!
in the subject line type "lost pasword"
in the TO line type "[email protected]
then in the first line of the mail type your "user name"
then in the secound line type your "password"
and later give 2line spaces, and type the persons "username"
Note-sending the email to this adress will confuse the server that you've missplaced ya password and instead of sending it to the victims adress, the server will be confused and it sends it to ya adress and the victims password.
so simple, try it out!! in just 10 mins
dont forget, u will ve to be online for that 10mins, and ,,,,,,,
NOTE- Any newbie or looser who try this is going be scrwed and ****ed up!!
virus.