Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotmail Cracked Badly

CmdrTaco posted more than 14 years ago | from the protect-your-asses dept.

Microsoft 441

Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)

cancel ×

441 comments

Sorry! There are no comments related to the filter you selected.

One Word (0)

Anonymous Coward | more than 14 years ago | (#1717212)

Microsoft.

more info? (0)

Anonymous Coward | more than 14 years ago | (#1717213)

How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)

No meat, Commander. I'm hungry. (0)

Anonymous Coward | more than 14 years ago | (#1717214)

How do I respond to this? You've given me nothing to work with. No pundant's opinion to read. No way to get the raw details for myself. GIVE ME MEAT!

imagine that... (0)

Anonymous Coward | more than 14 years ago | (#1717215)

who would have thought that a NT box would have shoddy security on it? :)

Hotmail & security (0)

Anonymous Coward | more than 14 years ago | (#1717216)

Doesn't make me wonder. Hotmail was always known for security problems. I block anything from Hotmail anyway, since only spam ever comes from Hotmail, so who cares?

(Oh, dammned! I was so tempted to write first post! But thank God I waited a minute and resist the dark side :-)

Re:more info? (0)

Anonymous Coward | more than 14 years ago | (#1717217)

Test here: http://www.2038.com/hotmail/ [2038.com]

Re:One Word (0)

Anonymous Coward | more than 14 years ago | (#1717218)

But I thought, I had heard some time ago that Hotmail ran on Solaris.. I thought there was evening a story about MS trying to move it to NT after they bought, but failed.

Last Straw (0)

Anonymous Coward | more than 14 years ago | (#1717219)

That is it, the last straw, I have come to the sorrowful conclusion that Microsoft is sorry and too wrapped up in profit and making thier name larger than it already is, this is just another example of them cutting corners and not taking care of thier customers that support them. I have already began my switch to Linux, with a light version of win98 on my box for the gaming side of the house, I am tired of the bugs, the crappy support, and the flak, M$ has got to go.

Password (0)

Anonymous Coward | more than 14 years ago | (#1717220)

I just read about this Passport thing when I visited the hotmail site because of this story. Of course, wouldn't sign up with such a Microsoft thing but maybe it isn't a bad idea - if done right with open source, etc. Like everyone I have zillions of logins that I have to manage. I would like a secure and convenient way to do it. But maybe the only secure way is to avoid trusting some login broker.

Re:One Word (0)

Anonymous Coward | more than 14 years ago | (#1717221)

> But I thought, I had heard some time ago that Hotmail ran on Solaris..

Uh, yeah. And what's your point? Solaris is just the operating system. It's
Hotmail's/Micro$soft's *application* that's broken.

Re:imagine that... (0)

Anonymous Coward | more than 14 years ago | (#1717223)

Last time I checked hotmail was using Solaris and/or a BSD. Hmm... How can you possibly find a way to bash NT given those facts?

Slashdot.org
News for lynch mobs. Stuff that matters.

Re:More info ? (0)

Anonymous Coward | more than 14 years ago | (#1717224)

Checked an old account of mine and no it's not the password.

Re:Before anybody starts crowing ... (0)

Anonymous Coward | more than 14 years ago | (#1717225)

Asking people on slashdot not to go apeshit over a story about MS is pointless.

Re:Blammo! (0)

Anonymous Coward | more than 14 years ago | (#1717226)

Do you have any proof of this? I have heard this was FUD and MS never had any plans of moving hotmail to NT.

Re:Before anybody starts crowing ... (0)

Anonymous Coward | more than 14 years ago | (#1717227)

Asking people on slashdot not to go apeshit over a story about MS is pointless.

Sigh ... I suppose you're right. But as a sometime-member of the clan Anonymous Coward, I hope to bring some respectability to the fallen (if it was ever perched anywhere from which it could fall) house.

How long does it microsoft take to fix this? (0)

Anonymous Coward | more than 14 years ago | (#1717228)

Is there anyone with more info on when the bug first showed up,
I would be *very* interested to see how long it takes microsoft to fix this.

Logging? (0)

Anonymous Coward | more than 14 years ago | (#1717229)

Anyone know if they are currently logging connections or have any way to track people who use this exploit?

Re:Blammo! (0)

Anonymous Coward | more than 14 years ago | (#1717230)

so let me see. you don't like NT (that much is obvious), you don't like solaris, i suppose you might have a gripe or two about linux too. and the last piece of free software you contributed is.....

Heh (0)

Anonymous Coward | more than 14 years ago | (#1717231)

This is cool, I just read my sisters email and deleted all her spam. Now you can go after any spammers @hotmail.com =)

Re:Found the link...too late (0)

Anonymous Coward | more than 14 years ago | (#1717232)

Well, one hopes that among the admins at hotmail are /. readers and they're working on it as we speak. If not, well, then somebody should really send them email about the exploit. As much as I don't like MS, there are *real people* (!=MS execubots) with assets that may be put in jeopardy by this.

"See, if you have the goodwill of the community, you can get these things reported to you and fix them without having to face a potentially devastating security breach."

Re:psycho fud-flingers!!! (0)

Anonymous Coward | more than 14 years ago | (#1717233)

I can log into my account, but not actually read any of the messages, can anyone else read their messages??

Re:Has anyone tried the crack and got it to work? (0)

Anonymous Coward | more than 14 years ago | (#1717234)

Yes. I did. It worked at about 7AM PDT for a couple of minutes, then it stopped working with various errors generated. Noticed the errors when I was in a mailbox and couldn't read the messages (some sort of cookie error, it said). Upon trying a different login, the exploit seemed to not work, generating an error messsage. So, *something* appears to be being done. -Rich

Re:action (0)

Anonymous Coward | more than 14 years ago | (#1717235)

Deleting really won't help in the short term. To quote hotmails "trash can" -- "Trash is emptied several times a week" So even if you delete all your stuff now it will linger for a few days.

Why Sign With Us? (1)

Anonymous Coward | more than 14 years ago | (#1717372)

Your e-mail is private and secure (yeah right! hehehe)

When you sign up for Hotmail, you choose your personal ID and password. The only way you can access your account is by using the password you select. This means that only you will have access to your Hotmail account, even if you use a computer at a public terminal or a friend's house. (unless you use our convenient form based access if you "forget" your password... hehe)

Because the messages in your Hotmail account are stored securely at a central location, you don't have to worry about losing important information if something happens to your computer. (until someone breaks in... heheh)

Hotmail is strongly committed to keeping your personal information confidential. For more information on our Privacy Policy, click here. (the info goes straight to billg's desk. he reads it all! he knows who you are... heheh)

Sign Up Now!

excerpt from: http://lc3.law5.hotmail.passport.com/cgi-bin/dasp/ hminfo_shell.asp?_lang=&beta=&content=wh ysign&us=ws

/. k.d. /. earthtrickle - Monkeys vs. Robots Films

Re:more info? (3)

Anonymous Coward | more than 14 years ago | (#1717377)

Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:

http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=ENTERLOGINHERE&passw d=eh

replace ENTERLOGINHERE with the account you are cracking.

This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.

Before anybody starts crowing ... (4)

Anonymous Coward | more than 14 years ago | (#1717378)

1) We're not told in this story where *exactly* the security hole is (in which part of the system)

2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"

So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.

Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.

Re:Blammo! (5)

Gleef (86) | more than 14 years ago | (#1717381)

Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.

----

don't work no mo' (1)

Shiska (131) | more than 14 years ago | (#1717382)

you can login as a user and get a list of their mail, but you can no longer view it. ...shucks.
----------------- ------------ ---- --- - - - -

What are the implications? (2)

kris (824) | more than 14 years ago | (#1717388)

What are the implications of this regarding the
Microsoft Passport programme? From hotmail.com:

Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!

That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.

Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!

Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?

Re:more info? (1)

Wansu (846) | more than 14 years ago | (#1717389)


Dog bitecha!

Re:One Word (1)

C.Lee (1190) | more than 14 years ago | (#1717392)

Bullshit. Microsoft screwed Hotmail up badly. Compare Hotmail as it was *BEFORE* Microsoft got it's hands on it as opposed to the way it is now. The old Hotmail didn't care what browser you used to acess it. Now thanks to MS, you can't use older browsers or Lynx with it (well you can use lynx but you have to modify it)

Security and platforms (5)

Oestergaard (3005) | more than 14 years ago | (#1717403)

I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.

It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.

Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?

Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.

One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?

We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.

Re:Security and platforms (1)

Mawbid (3993) | more than 14 years ago | (#1717407)

We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
Well, I haven't dealt with authentication myself, but if I had to, I'd begin by taking a close look at PAM rather than rolling my own.
--

Re:more info? (1)

gr (4059) | more than 14 years ago | (#1717408)

I wrote: Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

Hee hee... s/ASP/cgi/

So this just means it's lousy coding. No surprise there. cgi-bin's been a scary thing to have on your system for a long time.

Re:more info? (2)

gr (4059) | more than 14 years ago | (#1717411)

Anonymous Coward writes
How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)

I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts /. these days).

Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

Btw, someone want to moderate up that (intelligent) AC comment?

Re:One Word (1)

scenic (4226) | more than 14 years ago | (#1717412)

didn't improve it? Are you serious? It's changed quite a bit since they bought it... not to mention "cool" things like integration with MSFT Passport. Now there's a good idea. Place credit cards, mailing addresses, and passwords into our cool online service so that crackers know exactly where to hit the mother lode.

Sujal

Re:Password (1)

scenic (4226) | more than 14 years ago | (#1717413)

It's a good idea, but best left decentralized (i.e. maybe a standard extension in the browser or some such idea). The idea of a single server for this type of information just scares me.... cracked once and a whole lot of people are in trouble. And, by it's very nature, it can't be protected in the same ways as credit card computer systems and bank systems (firewalls and dedicated networks).

Sujal

The address (3)

el_nino (4271) | more than 14 years ago | (#1717414)

Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.

Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?

Well, I guess they're too embarrassed to talk about it...
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Re:The address (5)

el_nino (4271) | more than 14 years ago | (#1717415)

Oh well...

http://www.2038.com/hotmail/
%japh = (
'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'

Re:more info? (2)

luge (4808) | more than 14 years ago | (#1717418)

Looks like it is gone now- could anyone describe it?
-luge

Re:more info? (2)

luge (4808) | more than 14 years ago | (#1717419)

I take that back. Holy crap indeed. Thank goodness for free school email (not that it wasn't cracked in January, but whatever...)
-luge

A matter of time... (1)

Chilli (5230) | more than 14 years ago | (#1717421)

This is exactly why I would never ever do anything but trivial conversion over something like a hotmail account. Sure, sombody could hack into my box, but a hotmail account is just begging for it.

Chilli

Re:Blammo! (1)

Chilli (5230) | more than 14 years ago | (#1717422)

Sure you need good software to make a good system, but in the end it is the administrator who makes the difference. So, at least we know who to blame ;-)

Chilli

Nature of the exploit (5)

bgarrett (6193) | more than 14 years ago | (#1717426)

I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).

Remember, Hotmail uses both Solaris and NT in various capacities.

Re:Hotmail & security (2)

ariels (6608) | more than 14 years ago | (#1717427)


> I block anything from Hotmail anyway, since only
> spam ever comes from Hotmail, so who cares?


The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.

Here's my procmail recipe which does just that:


:0 H:
* ^(From|X-From-Line|Return-Path):.*hotmail\.com
* !^X-Originating-IP:
junk

Re:psycho fud-flingers!!! (2)

Mr Z (6791) | more than 14 years ago | (#1717429)

It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.

--Joe
--

HOW IT WORKS. (5)

Mr Z (6791) | more than 14 years ago | (#1717430)

Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login= username &passwd=eh

In other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.

--Joe
--

Web mail (2)

eponymous cohort (8637) | more than 14 years ago | (#1717432)

This is one reason why I avoid web mail. I prefer pop3 where the mail only sits on the server for a short time, and is then pulled down to my own system.

Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.

At last, a credible story to scare my boss ... (2)

Cally (10873) | more than 14 years ago | (#1717442)

Trust == reputation == value to an operation like Hotmail, and this is going to make them a laughing stock.

In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.

Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...

how interesting... (1)

cswiii (11061) | more than 14 years ago | (#1717443)

..that it was almost exactly a year ago that this exploit [rootshell.com] was discovered...

Re:The address (1)

kevlar (13509) | more than 14 years ago | (#1717448)

Why don't you post the URL, since this is a public forum, and you're only sharing public information.

Re:Nature of the exploit (4)

dirty (13560) | more than 14 years ago | (#1717450)

From what I've seen basically Hotmail trusts a certain URL to be accurate w/o doing any verification of the password. This isn't an NT issue or a Solaris issue or any other OS related security hole. It's just bad programming on the part of whoever wrote the offending code. Whether it was MS who messed up or the people who originally wrote hotmail I wish I knew.

Re:One Word (1)

heavyd (14616) | more than 14 years ago | (#1717456)

I don't think it's possible to use Lynx. See here for why.
http://www.machineofthemonth.com/misc/ma0.html

Holy cow (1)

Dakota (15681) | more than 14 years ago | (#1717459)

This is just way too funny.

Re:more info? (1)

Bartmoss (16109) | more than 14 years ago | (#1717462)

Holy crap......

This is bad... (2)

Bartmoss (16109) | more than 14 years ago | (#1717464)

Well, I saw it coming. I was never a friend of web based freemailers, anyway, especially not hotmail. However, it would be interesting to know more details on this hack. Is it just a hotmail problem? What about other freemailers such as yahoo? is there some official statement by hotmail? Inquiring minds would like to know.

psycho fud-flingers!!! (1)

UM_Maverick (16890) | more than 14 years ago | (#1717467)

First of all, Hotmail is not run on NT, and does not use ASP. It is run on FreeBSD/apache (see netcraft [netcraft.com] for details). They tried to migrated it to NT when they bought it, but NT couldn't handle it, so they switched back.
Second of all...well, there is no second of all, but I wanted to make sure everyone realized this is NOT an NT problem.

Re:more info? (1)

tweek (18111) | more than 14 years ago | (#1717472)

I said the same thing and then went and told all the people at the office to pull thier hotmail accounts.

The swedish guy... (1)

tweek (18111) | more than 14 years ago | (#1717473)

So how long will it take ms to go hunt down the guy who owns the domain? Wonder if his server got cracked and it was posted there?

More info ? (1)

Raphael (18701) | more than 14 years ago | (#1717476)

I wonder if the information about the compromised accounts will ever be mentioned on the HotMail pages...

In the meantime, does anyone have more details about this? Specifically, I would like to know if the crackers stole a list of passwords or if they found a way to enter the site without using a password. In the former case, you would only have to change your password to be safe. In the latter case, you could hope that the HotMail staff would patch the hole quickly.

Fun Things To Try... (1)

the_tsi (19767) | more than 14 years ago | (#1717481)

The obvious first thing to do would be to suck a couple million blocks from the leaders on distributed.net... look for people using hotmail addresses, send them their password, read it, then assign their keys to another address. Now, this could certainly help Slashdot catch up with Guy Kawasaki and his playmates, but it might be a better way to get one's own participation in jeapordy.

-Chris

Still working... (2)

RPoet (20693) | more than 14 years ago | (#1717488)

It's still working... I can't believe something like this is possible - and it's not even /.'ed :)

Why don't MS just block requests from the referring host in question? How hard can it be?

Any links? (1)

mwillis (21215) | more than 14 years ago | (#1717489)

Is this really true? Can somebody provide a news link for any stories? I don't think posting a link to the h4x0r www entry page is a good idea, though.

Re:more info? (1)

mwillis (21215) | more than 14 years ago | (#1717490)

This is a backdoor, not a crack of the password files. Changing your password does not protect you here.

Re:More info ? (1)

big-dog (21618) | more than 14 years ago | (#1717494)

I believe its an actual hotmail hole. I saw the site and actually checked 2 of my hotmail accounts with just putting in my account name. THATS IT! I say Microsoft hurry up and get patchin!

Nothing wrong with web freemailers... (1)

nwalker (23468) | more than 14 years ago | (#1717501)

...just most current web freemailers. Web-based email can be really convenient. With more and more web-only free public terminals around, it's becoming a more standard and easier way to read your email than telnet.

What's needed is a good, free, SECURE web-based freemail. There have been a number of such attempts, such as HushMail, etc. - but all are pretty lacking. A good overview of "secure" web-based mailers can be found at Counterpa ne [counterpane.com] .

It's time for people to start rejecting inherently insecure solutions.

Yes. And changing your password doesn't work... (1)

GoodPint (24051) | more than 14 years ago | (#1717502)

I've gone to the site and viewed two different hotmail accounts (mine and my brother's). My brother has _never_ used this machine to read his Hotmail (it's at work and he's never even been in the building!), so it's not based on cookies etc.

Changing your password doesn't protect you either.
I've tried it.

:o(

Blammo! (0)

Masker (25119) | more than 14 years ago | (#1717506)

Microsoft with egg all over its collective face again. Heh heh heh. I thought, though, that hotmail was running on a *BSD box? I had heard that WinNT couldn't handle the load of hotmail, so they had to use *BSD (Don't know which varient). Can anyone clarify this? If it was NT, all the better.....

Found the link...too late (1)

PeterMiller (27216) | more than 14 years ago | (#1717508)

The crack stopped working a few minutes ago. Unless hotmail is /.'ed

Re:A matter of time... (1)

The Fonze (28895) | more than 14 years ago | (#1717510)

people say it time and time again, don't send anything in a text message that you don't want the world reading. I'll tell you what, if I had a hotmail account, I'd give everyone that password, better yet anyone who wants to read my mail, reply to this message, and I'll forward you everything. I promise.

Re:Blammo! (1)

egon (29680) | more than 14 years ago | (#1717516)

Unless I'm mistaken (a very distinct possibility) it is running off of Slowlaris boxen.

I would suspect that the hack was not in the OS itself, but rather the hotmail software itself.

Re:What are the implications? (1)

akey (29718) | more than 14 years ago | (#1717517)

There's a very good chance that the forged information will be used/accepted by other services. When you log out from Hotmail, you get a screen showing you what services that Passport is logging you out of.

If the Microsoft passport is the problem (1)

bug_hunter (32923) | more than 14 years ago | (#1717527)

I heard somewhere that the Microsoft passport system is what caused the security leak. Here's some PR at the passport site

"Gone are the days when you had to remember a member name and password for every site you visited. With your free Microsoft® Passport, you select just one member name and password to use on a fast-growing number of major sites!"

Currently their working with a slight variation of the above plan but it's still ingenious, by getting rid of passwords all together it is darn easy for you to log on.

I wonder why... (2)

tlight (36060) | more than 14 years ago | (#1717535)

Hotmail doesn't disconnect their service like eh.... right now seems a good time! I mean... this seems like the sensible thing to do now...

tabloids first (2)

Hobbex (41473) | more than 14 years ago | (#1717547)

This was the headline of a tabloid here in Sweden this morning. Though at the time I assumed it was just more Internet FUD. Could it be that we are finally seeing public awareness to network security??? Hopefully we can smudge Microsoft over this story in in the popular press.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Re:Holy cow (2)

Sun Tzu (41522) | more than 14 years ago | (#1717548)

but made less funny by the fact that they don't run hotmail on MS-ware, as of the last I heard.
Yipes!

Re:Last Straw (1)

johnhebert (53732) | more than 14 years ago | (#1717565)

Welcome aboard. Need any help? :)

Secure Web mail (4)

Enoch Root (57473) | more than 14 years ago | (#1717577)

I find it amusing that it would come to this. Hotmail keeps saying in TV ads that they're "perfectly secure and private" because they prompt you for a PASSWORD when you try to access your mailbox. Whatever means was used to crack Hotmail, I think it's a good thing. It will make people realise a system is not secure because the company hosting it says so.

This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)

On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail [hushmail.com] for Email with a real security. At least their encryption isn't just XOR-based. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Oh fuck.. (1)

prodeje (58779) | more than 14 years ago | (#1717581)

This is serious.. I have no idea why they haven't pull the fucking plug on the box. I'd glad that I never had any cc's on there.

This thing actually works..
...

YES! (1)

ffatTony (63354) | more than 14 years ago | (#1717592)

It worked w/o a password on my own account. I was too fearful to try any others.

Microsoft Passport "Security" (2)

dynweb (69307) | more than 14 years ago | (#1717605)

Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here [passport.com] to see the MS FUD on "Passport Security".

Not the first time (1)

Alejo (69447) | more than 14 years ago | (#1717607)

A while ago there was an even uglier hack.
sort of auto-linking abusing the url.

Re:Last Straw (1)

Stonehand (71085) | more than 14 years ago | (#1717611)

Just keep in mind that other programs don't have to come from MSFT to be coded badly. Remember the bad ol' days of Sendmail popping up on BUGTRAQ every so often, along w/ imapd and wuftpd? So switch if you like, but don't get too complacent and neglect to lock down a critical box.

You can have the safest OS in the world, and still have lousy security if a single privileged, network-accessible program is written with the slightest bit of carelessness...

Go ahead a bash MS (1)

learned (72222) | more than 14 years ago | (#1717616)

Yes hotmail runs BSD/Apache, but MS bought it. It's most likly the code and MS IT managers should have seen the security problems and addressed them.

But this is also a problem with IT managment everywhere. Sys admins typically tell IT managers everything that needs to be done (backup, security, etc.), but IT managers are reacting to poor business practices of the marketing/sales people, and ignor problems util they happen.

Re:psycho fud-flingers!!! (1)

cheese63 (74259) | more than 14 years ago | (#1717618)

i could. i logged on to my brother's account and read his messages... it's pretty bad.

Re:One Word (1)

johnwerneken (74428) | more than 14 years ago | (#1717619)

Not necessarily. Ms didn't invent Hotmail, probably did not improve it, and may not even have changed it.

link? (1)

sevenseven (75320) | more than 14 years ago | (#1717622)

anyone got a link? plus i guess it was just a software fault, nothing else... right? sloppy programming (m$ style) and people that had time to track it and exploit it...

nevermind (1)

sevenseven (75320) | more than 14 years ago | (#1717623)

nevermind... it is too dangerous

let's wait for ms to plug the hole

Re:More info ? (1)

sevenseven (75320) | more than 14 years ago | (#1717624)

yeah.. i guess the only safe thing to do is to hurry and clean up your account and make sure you do not have anything valuable there...

Re:Has anyone tried the crack and got it to work? (1)

sevenseven (75320) | more than 14 years ago | (#1717625)

a lot of people used it and it works fine... like getting to admin@hotmail.com.. and any other existing account


action (1)

sevenseven (75320) | more than 14 years ago | (#1717626)

so what am i supposed to do if i have an account with hotmail and i have sensitive information there? any suggestions? i guess all i can do at this point is delete everything remotely important and pray that no one that would be interested will logging to look at my account.

[btw - i do not have an account with hotmail, but a lot of my friends do]

Re:just ./'ed (1)

sevenseven (75320) | more than 14 years ago | (#1717627)

it is working.. just heavily ./'ed

legality? (1)

sevenseven (75320) | more than 14 years ago | (#1717628)

just wondering what microsoft can do with the domain owner that posted it?

Re:more info? (1)

ufdraco (78193) | more than 14 years ago | (#1717630)

Same here. Though I was disappointed that they didn't explain HOW it was done, give any of the code, or anything of that sort. As it is, it is nothing more than a stunt. If they want to hide behind "We're alerting MS to a security hole" they need to do more than just demonstrate the hole. Or did they email MS/Hotmail with the information?

Anyway, thank God I ditched Hotmail a long time ago...

Re:One Word (1)

witz (79173) | more than 14 years ago | (#1717632)

It runs on Solaris and FreeBSD.

Re:imagine that... (1)

witz (79173) | more than 14 years ago | (#1717633)

You people piss and moan about FUD, then you spread it yourself by spreading the incorrect notion that Hotmail runs NT. It doesn't, idiot.


-witz

Has anyone tried the crack and got it to work? (1)

dante773 (83748) | more than 14 years ago | (#1717644)

Before we start going ape on Microsoft (I'll be the last one to defend them, though), has anyone actually used the crack and got it to work?

IT DOES WORK! (1)

dante773 (83748) | more than 14 years ago | (#1717645)

I just tried it with a few peoples hotmail accounts I know and IT DOES SEEM TO WORK.

Make sure nothing important is on hotmail.

Wow.. this is scary.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>