Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Hotmail

Options
  • 30-08-1999 9:15pm
    #1
    MiCr0
    Registered Users Posts: 6,265 ✭✭✭


    Hotmail Accounts Exposed to All
    by Declan McCullagh and by James Glave

    8:05 a.m. 30.Aug.99.PDT
    A catastrophic security flaw in Microsoft's Hotmail service that was exposed
    over the weekend allowed anyone to read the private correspondence as well
    as impersonate the accounts of about 50 million subscribers.
    The breach was finally closed Monday at around 9 a.m. PDT, when Hotmail
    restored access to legitimate subscribers.

    More on this...

    The bug appears to have affected every customer of what Microsoft says is
    "the world's largest provider of free Web-based email."

    The significance of this security breach is that it was available to anyone
    with a Web browser. Most security vulnerabilities on the Internet require
    in-depth knowledge of Unix or Windows NT language, technical knowledge that
    the average Web user does not know.

    Between 8:30 and 9 am PDT, Microsoft pulled the plug on large portions of
    the entire Hotmail site, rendering it unreachable for millions of
    subscribers. During that period, the only access to Hotmail accounts could
    be made through illicit means -- by those who had access to a simple code
    that had spread wildly on the Net through the weekend.

    That was about 12 hours after the company was notified of the security hole.
    But users already logged in to their accounts -- or someone else's -- could
    continue to send, receive, and delete email.

    Around 9:30, sections of Hotmail began to slowly come back online. By that
    time, people without Hotmail accounts could connect to the site's homepage.
    Users with accounts configured to remember their password, however, received
    this unhelpful message: "ERROR: Cannot open UserData file."

    As of 10:15 a.m., Microsoft engineers, led by Mike Nichols in Redmond,
    Washington, had managed to fix that problem, too, and users could log in
    normally again. Yet there still was no reference to the problem anywhere on
    either the Hotmail or MSN sites.

    Microsoft could not be reached for comment Monday morning, so questions as
    to why the gaping security hole was left open for at least 24 hours -- and
    probably longer -- could not immediately be answered.

    The exploit worked this way: Any Web page that contained a short, simple
    code -- visible on most browsers as a type-in form -- was able connect to a
    Hotmail server simply by typing in a user name without requiring a password.

    By early Monday, copies of that HTML code were posted on hacking-related Web
    sites.

    The Hotmail exploit apparently took advantage of a bug in the start script
    that processed a login session between a Web browser and a server.

    One site where the problem surfaced was at 2038.com, which Network Solutions
    shows registered to Moving Pictures, a group based in Sweden. Erik Barkel,
    the contact associated with that domain, could not be reached for comment.

    As of about 8:30 a.m. that site redirected to a Web page promoting a
    marketing company.

    The managers of that company said they had nothing to do with the redirect.
    "It's just a point[er] put there by a person who's trying make a joke," said
    Anders Herlin, business development manager at Abel and Baker. "We haven't
    had the slightest idea why."

    "All I know is we do not want to be associated with it," said Herlin. "We
    are a fairly new company. Maybe someone wanted to cause us harm."

    But the code quickly spread to dozens, if not hundreds of sites.

    A Swedish newspaper, Expressen , reported the bug in its Monday editions.
    The bug let anyone log into a Hotmail account without typing a password.

    "We know nothing about [the individual who tipped us]. It was anonymous,"
    said Christian Carrwik, one of two Expressen reporters who broke the news.
    "It has been circulating for a couple of days."

    Expressen said Microsoft was alerted very early Sunday morning.

    This is only the most recent Microsoft security gaffe.

    Redmond admitted earlier this month that its MSN Messenger instant messaging
    client can accidentally disclose Hotmail account passwords. Even if the
    password is supposedly deleted from a computer, someone else could still
    view it if they knew the proper keystrokes.

    Last week, Wired News reported a bug in tens of millions of Microsoft
    Windows computers that lets an attacker take control of a PC by sending an
    email message.


Comments

  • Options
    #2
    Hobbes
    Registered Users Posts: 21,264 ✭✭✭✭Hobbes


    Yea tried it on my hotmail account I had long since forgotten the password too smile.gif Scary!

    Does'nt outlook express use hotmail as a conduit for multiple mail addresses?


Advertisement