Bugtraq mailing list archives
Re: Hotmail security vulnerability
From: dave () SNEAKERZ ORG (Dr. Dave)
Date: Thu, 21 Oct 1999 23:34:28 -0700
On Thu, Oct 21, 1999 at 09:27:38AM -0500, Pete Krawczyk wrote:
Within the last couple weeks, Microsoft has unveiled their new Passport service which allows you to log in to multiple sites and do your work with one single login. However, they failed to realize that not all people allow all cookies everywhere to be put on their computer. It is possible by making a settings change in Netscape (and possibly IE) to transparently let a user log in as the last user that used Hotmail on that computer. By setting the Cookies preference to "Accept only cookies that get sent back to the originating server", you can keep the authorization cookie that allows a user to log in to Hotmail and read the last user's mail. The authorization cookie is temporary, however, and is deleted when the browser closes. Try it: 1) In Netscape, set your cookie preference to the above. 2) Log in to any Hotmail account. 3) Choose "Sign Out". 4) From the MSN page that appears after sign-out, choose the Hotmail link. 5) You will be back in the Inbox. Possible Fixes: 1) Set cookies to "Accept all cookies" 2) Close your browser immediately after signing out. Tested on Netscape 4.5 and 4.6, using both the "Increased Security" and "Neither" authorization methods. When contacted at Hotmail_Technical_Support_X () hotmail com (Hotmail gives you this address to ask security questions if you send a blank email to howsecure () hotmail com ), I got a Mail Delivery error that the address did not exist. -Pete K -- Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/ pkrawczy at uiuc dot edu Finger for PGP Public Key
We are currently looking into this, it seems to be speratic. Certain accounts are vulnerable to this. I have had limited success reproducing this on a number of platforms and browsers. -- -------------------------------------------------------------------------- Dave McKay dave () sneakerz org MSN Hotmail http://www.hotmail.com --------------------------------------------------------------------------
Current thread:
- Compaq Alpha Bounds Checking Crispin Cowan (Oct 20)
- Re: Compaq Alpha Bounds Checking Solar Designer (Oct 20)
- Re: Compaq Alpha Bounds Checking Crispin Cowan (Oct 21)
- Re: Compaq Alpha Bounds Checking Brett Lymn (Oct 21)
- Microsoft Security Bulletin (MS99-045) Aleph One (Oct 21)
- Re: Compaq Alpha Bounds Checking Crispin Cowan (Oct 21)
- Hotmail security vulnerability Pete Krawczyk (Oct 21)
- Re: Hotmail security vulnerability Dr. Dave (Oct 21)
- Microsoft Security Bulletin (MS99-046) Aleph One (Oct 22)
- Re: Compaq Alpha Bounds Checking Solar Designer (Oct 20)