nettime's_roving_reporter on Mon, 30 Aug 1999 19:28:31 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Wired News: Hotmail Accounts Exposed to All

Hotmail Accounts Exposed to All
by Declan McCullagh


8:05 a.m.  30.Aug.99.PDT
A catastrophic security flaw in Microsoft's Hotmail service lets
anyone read the private correspondence of about 50 million

The bug appears to affect all customers of what Microsoft says is "the
world's largest provider of free Web-based email." 

As of approximately 8:30 a.m. Monday morning, Microsoft had shut off
its Hotmail service to legitimate users. However, the security exploit
still worked by accessing the alternative servers whose Web address
had been widely posted throughout the weekend. 

This effectively shut off the site to all but the hackers. The move
also stopped legitimate users from changing their passwords. 

A Swedish newspaper, Expressen , reported the bug in its Monday
editions. The bug lets anyone log into a Hotmail account without
typing a password. 

The exploit, verified by Wired News, works this way: A Web page with
nine lines of HTML code can connect to a Hotmail server without
requiring a user to enter a password. By early Monday, copies of those
nine lines of HTML source were circulating widely around the Net and
mirrored on hacking-related Web sites. 

"We know nothing about [the individual who tipped us]. It was
anonymous," said Christian Carrwik, one of two Expressen reporters who
broke the news. "It has been circulating for a couple of days." 

[! ]"The most interesting thing is that Microsoft said it is working 
on the problem, but they haven't closed down Hotmail, or sent any 
warning totheir users," Carrwik said. "The backdoor is still open and 
more and more people are discovering it." 

Expressen said Microsoft was alerted very early Sunday morning. The
company could not immediately be reached for comment. 

Most security vulnerabilities on the Internet require in-depth
knowledge of Unix or Windows NT administration. This breach is
particularly severe because it requires only a Web browser. 

This is only the most recent Microsoft security gaffe. 

Redmond admitted earlier this month that its MSN Messenger
instant-messaging client can accidentally disclose Hotmail account
passwords. Even if the password is supposedly deleted from a computer,
someone else could still view it if they knew the proper keystrokes. 

Last week, Wired News reported a bug in tens of millions of Microsoft
Windows computers that lets an attacker take control of a PC by
sending an email message. 

Les faits sont faits.

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: and "info nettime-l" in the msg body
#  archive: contact: