[12321] in bugtraq
Re: Hotmail security vulnerability
daemon@ATHENA.MIT.EDU (Dr. Dave)
Fri Oct 22 13:34:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991021233428.A87416@sneakerz.org>
Date: Thu, 21 Oct 1999 23:34:28 -0700
Reply-To: "Dr. Dave" <dave@SNEAKERZ.ORG>
From: "Dr. Dave" <dave@SNEAKERZ.ORG>
X-To: Pete Krawczyk <pkrawczy@UIUC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.5.32.19991021092738.01c5d3b0@jetson.astro.uiuc.edu>; from
Pete Krawczyk on Thu, Oct 21, 1999 at 09:27:38AM -0500
On Thu, Oct 21, 1999 at 09:27:38AM -0500, Pete Krawczyk wrote:
> Within the last couple weeks, Microsoft has unveiled their new Passport
> service which allows you to log in to multiple sites and do your work with
> one single login. However, they failed to realize that not all people
> allow all cookies everywhere to be put on their computer.
>
> It is possible by making a settings change in Netscape (and possibly IE) to
> transparently let a user log in as the last user that used Hotmail on that
> computer.
>
> By setting the Cookies preference to "Accept only cookies that get sent
> back to the originating server", you can keep the authorization cookie that
> allows a user to log in to Hotmail and read the last user's mail. The
> authorization cookie is temporary, however, and is deleted when the browser
> closes.
>
> Try it:
> 1) In Netscape, set your cookie preference to the above.
> 2) Log in to any Hotmail account.
> 3) Choose "Sign Out".
> 4) From the MSN page that appears after sign-out, choose the Hotmail link.
> 5) You will be back in the Inbox.
>
> Possible Fixes:
> 1) Set cookies to "Accept all cookies"
> 2) Close your browser immediately after signing out.
>
> Tested on Netscape 4.5 and 4.6, using both the "Increased Security" and
> "Neither" authorization methods.
>
> When contacted at Hotmail_Technical_Support_X@hotmail.com (Hotmail gives
> you this address to ask security questions if you send a blank email to
> howsecure@hotmail.com ), I got a Mail Delivery error that the address did
> not exist.
>
> -Pete K
> --
> Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/
> pkrawczy at uiuc dot edu Finger for PGP Public Key
We are currently looking into this, it seems to be speratic. Certain accounts are vulnerable to this. I have had limited success reproducing this on a number of platforms and browsers.
--
--------------------------------------------------------------------------
Dave McKay dave@sneakerz.org
MSN Hotmail http://www.hotmail.com
--------------------------------------------------------------------------
