Hackers Shortcut Hotmail Password Reset Protections

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174400.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
11 Feb 2002, 4:25 PM CST
 
Security researchers have discovered a vulnerability in Microsoft
Corp.'s Hotmail service that allows hackers to bypass security
questions that users must answer before resetting their passwords.

Normally, if Hotmail users forget their password they must fill out a
Web form that requires their e-mail address, state, zip code and
country. Users who enter the correct information are then prompted for
the answer to the "secret question" they selected when signing up for
the service.
 
According to information obtained by Newsbytes, hackers recently
discovered a way to skip the validation form and go directly to any
user's "secret question" prompt. From there, the intruder is only one
step away from resetting the user's password.

Sources say that since the discovery of the security hole roughly two
weeks ago, a small cadre of hackers has been patiently checking a long
list of high-profile and desirable usernames for easily-guessed
answers to secret questions.

Screenshots obtained by Newsbytes showed that the password and secret
question for at least one highly desirable Hotmail username of the
sort traditionally reserved for system administrators had been changed
to "Who owns you????" Another hacked secret question was changed to an
Internet address for a hacker group's Web site.

"It got my attention right off, because I know I've never taken those
'secret question' things seriously enough to jot in anything other
than 'abcdef' or 'whatnot'," said Adrian Lamo, a security researcher
who reported the problem to Microsoft through Newsbytes.

As a result of the vulnerability, many Hotmail users who rely on a
variation of "What's my favorite color" for a secret question could
find themselves shut out of their Webmail, Lamo said.

A Microsoft spokesman said there was nothing wrong with the company's
e-mail login service, and noted that Microsoft leaves it up to users
to make their secret questions as secure as possible.

The security problem posed by the exploit doesn’t stop at e-mail,
however. Hotmail authentication also automatically signs the user in
to other Microsoft services, such as .Net Passport, a service that
allows users to automatically transfer personal and financial
information about themselves to approximately 100 participating
merchant Web sites.

Armed with a user's Hotmail sign-on, an intruder could theoretically
shop at any one of the participating merchants, bill the purchases to
the hijacked user account and ship the item to another address, Lamo
said.

The new vulnerability is the latest in a string of security problems
with Hotmail, a service that claims more than 200 million users.

Last month, scores of Microsoft's Gaming Zone users found themselves
faced with Hotmail address books containing the names and addresses of
total strangers. Some who attempted to compose messages from the
account were startled to see a signature line automatically attached
to the bottom of their messages, bearing the name and contact
information of someone they had never heard of.

Throughout last year, hackers discovered various ways of imbedding
Hotmail messages with Javascript code that redirected users to a fake
Hotmail site designed to trick them into re-entering their password.

In this instance, however, the keys to the exploit are actually hidden
within the source code for the Hotmail login page. The code, visible
to anyone knowledgeable enough to select "View Source" from the menu
of their Web browser, reveals a "hidden" field that when populated
with the desired username, saved as an HTML file and executed in a Web
browser produces the targeted user's "secret question."

"Cisco Kid" the nickname for the hacker who helped to develop the
exploit, said Microsoft simply has no good explanation for leaving
something so central to authentication in plain text.

"It was quite disconcerting to see such a seemingly heavily protected
Web-site and e-mail service overlook the prospect of encrypting
information pertaining to resetting passwords," the Kid said.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.