[ISN] Hackers Shortcut Hotmail Password Reset Protections

From: InfoSec News (isnat_private)
Date: Tue Feb 12 2002 - 01:03:24 PST

  • Next message: InfoSec News: "Re: [ISN] Microsoft Recalls Botched Browser Security Patch"

    By Brian Krebs, Newsbytes
    11 Feb 2002, 4:25 PM CST
    Security researchers have discovered a vulnerability in Microsoft
    Corp.'s Hotmail service that allows hackers to bypass security
    questions that users must answer before resetting their passwords.
    Normally, if Hotmail users forget their password they must fill out a
    Web form that requires their e-mail address, state, zip code and
    country. Users who enter the correct information are then prompted for
    the answer to the "secret question" they selected when signing up for
    the service.
    According to information obtained by Newsbytes, hackers recently
    discovered a way to skip the validation form and go directly to any
    user's "secret question" prompt. From there, the intruder is only one
    step away from resetting the user's password.
    Sources say that since the discovery of the security hole roughly two
    weeks ago, a small cadre of hackers has been patiently checking a long
    list of high-profile and desirable usernames for easily-guessed
    answers to secret questions.
    Screenshots obtained by Newsbytes showed that the password and secret
    question for at least one highly desirable Hotmail username of the
    sort traditionally reserved for system administrators had been changed
    to "Who owns you????" Another hacked secret question was changed to an
    Internet address for a hacker group's Web site.
    "It got my attention right off, because I know I've never taken those
    'secret question' things seriously enough to jot in anything other
    than 'abcdef' or 'whatnot'," said Adrian Lamo, a security researcher
    who reported the problem to Microsoft through Newsbytes.
    As a result of the vulnerability, many Hotmail users who rely on a
    variation of "What's my favorite color" for a secret question could
    find themselves shut out of their Webmail, Lamo said.
    A Microsoft spokesman said there was nothing wrong with the company's
    e-mail login service, and noted that Microsoft leaves it up to users
    to make their secret questions as secure as possible.
    The security problem posed by the exploit doesn’t stop at e-mail,
    however. Hotmail authentication also automatically signs the user in
    to other Microsoft services, such as .Net Passport, a service that
    allows users to automatically transfer personal and financial
    information about themselves to approximately 100 participating
    merchant Web sites.
    Armed with a user's Hotmail sign-on, an intruder could theoretically
    shop at any one of the participating merchants, bill the purchases to
    the hijacked user account and ship the item to another address, Lamo
    The new vulnerability is the latest in a string of security problems
    with Hotmail, a service that claims more than 200 million users.
    Last month, scores of Microsoft's Gaming Zone users found themselves
    faced with Hotmail address books containing the names and addresses of
    total strangers. Some who attempted to compose messages from the
    account were startled to see a signature line automatically attached
    to the bottom of their messages, bearing the name and contact
    information of someone they had never heard of.
    Throughout last year, hackers discovered various ways of imbedding
    Hotmail messages with Javascript code that redirected users to a fake
    Hotmail site designed to trick them into re-entering their password.
    In this instance, however, the keys to the exploit are actually hidden
    within the source code for the Hotmail login page. The code, visible
    to anyone knowledgeable enough to select "View Source" from the menu
    of their Web browser, reveals a "hidden" field that when populated
    with the desired username, saved as an HTML file and executed in a Web
    browser produces the targeted user's "secret question."
    "Cisco Kid" the nickname for the hacker who helped to develop the
    exploit, said Microsoft simply has no good explanation for leaving
    something so central to authentication in plain text.
    "It was quite disconcerting to see such a seemingly heavily protected
    Web-site and e-mail service overlook the prospect of encrypting
    information pertaining to resetting passwords," the Kid said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:57:30 PST