Re: Hotmail security vulnerability

From: Dr. Dave (daveat_private)
Date: Thu Oct 21 1999 - 23:34:28 PDT

Next message: Rami Dass: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"

Previous message: Dan Schrader: "Re: Hotmail security vulnerability"
Maybe in reply to: Pete Krawczyk: "Hotmail security vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 21, 1999 at 09:27:38AM -0500, Pete Krawczyk wrote:
> Within the last couple weeks, Microsoft has unveiled their new Passport
> service which allows you to log in to multiple sites and do your work with
> one single login.  However, they failed to realize that not all people
> allow all cookies everywhere to be put on their computer.
>
> It is possible by making a settings change in Netscape (and possibly IE) to
> transparently let a user log in as the last user that used Hotmail on that
> computer.
>
> By setting the Cookies preference to "Accept only cookies that get sent
> back to the originating server", you can keep the authorization cookie that
> allows a user to log in to Hotmail and read the last user's mail.  The
> authorization cookie is temporary, however, and is deleted when the browser
> closes.
>
> Try it:
>   1) In Netscape, set your cookie preference to the above.
>   2) Log in to any Hotmail account.
>   3) Choose "Sign Out".
>   4) From the MSN page that appears after sign-out, choose the Hotmail link.
>   5) You will be back in the Inbox.
>
> Possible Fixes:
>   1) Set cookies to "Accept all cookies"
>   2) Close your browser immediately after signing out.
>
> Tested on Netscape 4.5 and 4.6, using both the "Increased Security" and
> "Neither" authorization methods.
>
> When contacted at Hotmail_Technical_Support_Xat_private (Hotmail gives
> you this address to ask security questions if you send a blank email to
> howsecureat_private ), I got a Mail Delivery error that the address did
> not exist.
>
> -Pete K
> --
> Pete Krawczyk                          http://www.uiuc.edu/ph/www/pkrawczy/
>  pkrawczy at uiuc dot edu                         Finger for PGP Public Key

We are currently looking into this, it seems to be speratic.  Certain accounts are vulnerable to this.  I have had limited success reproducing this on a number of platforms and browsers.

--
--------------------------------------------------------------------------
Dave McKay                                      daveat_private
MSN Hotmail                                     http://www.hotmail.com
--------------------------------------------------------------------------

Next message: Rami Dass: "Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD"
Previous message: Dan Schrader: "Re: Hotmail security vulnerability"
Maybe in reply to: Pete Krawczyk: "Hotmail security vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:31 PDT