http://www.newsbytes.com/news/02/174400.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 11 Feb 2002, 4:25 PM CST Security researchers have discovered a vulnerability in Microsoft Corp.'s Hotmail service that allows hackers to bypass security questions that users must answer before resetting their passwords. Normally, if Hotmail users forget their password they must fill out a Web form that requires their e-mail address, state, zip code and country. Users who enter the correct information are then prompted for the answer to the "secret question" they selected when signing up for the service. According to information obtained by Newsbytes, hackers recently discovered a way to skip the validation form and go directly to any user's "secret question" prompt. From there, the intruder is only one step away from resetting the user's password. Sources say that since the discovery of the security hole roughly two weeks ago, a small cadre of hackers has been patiently checking a long list of high-profile and desirable usernames for easily-guessed answers to secret questions. Screenshots obtained by Newsbytes showed that the password and secret question for at least one highly desirable Hotmail username of the sort traditionally reserved for system administrators had been changed to "Who owns you????" Another hacked secret question was changed to an Internet address for a hacker group's Web site. "It got my attention right off, because I know I've never taken those 'secret question' things seriously enough to jot in anything other than 'abcdef' or 'whatnot'," said Adrian Lamo, a security researcher who reported the problem to Microsoft through Newsbytes. As a result of the vulnerability, many Hotmail users who rely on a variation of "What's my favorite color" for a secret question could find themselves shut out of their Webmail, Lamo said. A Microsoft spokesman said there was nothing wrong with the company's e-mail login service, and noted that Microsoft leaves it up to users to make their secret questions as secure as possible. The security problem posed by the exploit doesn’t stop at e-mail, however. Hotmail authentication also automatically signs the user in to other Microsoft services, such as .Net Passport, a service that allows users to automatically transfer personal and financial information about themselves to approximately 100 participating merchant Web sites. Armed with a user's Hotmail sign-on, an intruder could theoretically shop at any one of the participating merchants, bill the purchases to the hijacked user account and ship the item to another address, Lamo said. The new vulnerability is the latest in a string of security problems with Hotmail, a service that claims more than 200 million users. Last month, scores of Microsoft's Gaming Zone users found themselves faced with Hotmail address books containing the names and addresses of total strangers. Some who attempted to compose messages from the account were startled to see a signature line automatically attached to the bottom of their messages, bearing the name and contact information of someone they had never heard of. Throughout last year, hackers discovered various ways of imbedding Hotmail messages with Javascript code that redirected users to a fake Hotmail site designed to trick them into re-entering their password. In this instance, however, the keys to the exploit are actually hidden within the source code for the Hotmail login page. The code, visible to anyone knowledgeable enough to select "View Source" from the menu of their Web browser, reveals a "hidden" field that when populated with the desired username, saved as an HTML file and executed in a Web browser produces the targeted user's "secret question." "Cisco Kid" the nickname for the hacker who helped to develop the exploit, said Microsoft simply has no good explanation for leaving something so central to authentication in plain text. "It was quite disconcerting to see such a seemingly heavily protected Web-site and e-mail service overlook the prospect of encrypting information pertaining to resetting passwords," the Kid said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:57:30 PST