[12307] in bugtraq
Hotmail security vulnerability
daemon@ATHENA.MIT.EDU (Pete Krawczyk)
Thu Oct 21 15:32:41 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.19991021092738.01c5d3b0@jetson.astro.uiuc.edu>
Date: Thu, 21 Oct 1999 09:27:38 -0500
Reply-To: Pete Krawczyk <pkrawczy@UIUC.EDU>
From: Pete Krawczyk <pkrawczy@UIUC.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Within the last couple weeks, Microsoft has unveiled their new Passport
service which allows you to log in to multiple sites and do your work with
one single login. However, they failed to realize that not all people
allow all cookies everywhere to be put on their computer.
It is possible by making a settings change in Netscape (and possibly IE) to
transparently let a user log in as the last user that used Hotmail on that
computer.
By setting the Cookies preference to "Accept only cookies that get sent
back to the originating server", you can keep the authorization cookie that
allows a user to log in to Hotmail and read the last user's mail. The
authorization cookie is temporary, however, and is deleted when the browser
closes.
Try it:
1) In Netscape, set your cookie preference to the above.
2) Log in to any Hotmail account.
3) Choose "Sign Out".
4) From the MSN page that appears after sign-out, choose the Hotmail link.
5) You will be back in the Inbox.
Possible Fixes:
1) Set cookies to "Accept all cookies"
2) Close your browser immediately after signing out.
Tested on Netscape 4.5 and 4.6, using both the "Increased Security" and
"Neither" authorization methods.
When contacted at Hotmail_Technical_Support_X@hotmail.com (Hotmail gives
you this address to ask security questions if you send a blank email to
howsecure@hotmail.com ), I got a Mail Delivery error that the address did
not exist.
-Pete K
--
Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/
pkrawczy at uiuc dot edu Finger for PGP Public Key
