Security - Web vulnerability exposed by Hotmail embarrassment

Ex-hacker says Microsoft left Hotmail's front door wide open.

Written by newmedia newmedia

Network IT Week, 07 Sep 1999

Network managers have been urged to review their own web security practices after Microsoft's Hotmail service became subject to one of the highest-profile internet hacks in the web's history.

The 'hole' in Hotmail's security meant that full access to more than 40 million Hotmail subscribers' accounts could be gained by simply entering a special URL.

A previously unknown group, Hackers Unite, has claimed responsibility for the attack.

The crackers modified freeware code to allow entry to Hotmail accounts, via a URL, without the need to provide passwords.

Details of the exploit were posted on a website in Sweden last week and were quickly copied to a number of other sites in the UK and US.

Microsoft, which was forced to take down the Hotmail service for two hours, has posted an apology and stated that its engineers have solved the problem.

Ex-hacker Mathew Bevan, now a consultant at Tiger Security, speculated that the exploit may have relied on an intentional 'backdoor' left open by Microsoft.

"This was either an oversight or an inside job," said Bevan, who added that, bad as the breach was, exploits against Microsoft's applications present a far more serious problem.

David Butler, a security analyst at Axent Technologies, said the breach is serious because many companies use web-based email services, such as Hotmail.

"It seems that a script existed and was left on a server without protection, so it could be read and exploited," said Butler.

Butler said test scripts carelessly left on web servers constituted a common class of vulnerability, and advised regular housekeeping.

HOW HOTMAIL WAS HACKED

The code needed to exploit the Hotmail breach required only five lines of Common Gateway Interface (CGI) HTML script. This is applied to a common Hotmail gateway http://wya-pop.hotmail.com/cgi-bin/start.

This skeleton 'key' code looks like: http://207.82.250.251/cgi-bin/start?curmbox= ACTIVE&js=no&login=username&passwd=eh

All that was needed was to cut and paste the above code in a web browser and replace 'username' with someone's Hotmail user name.

Tags:

reader comments

related articles

New hacker risk hits Hotmail users

Microsoft investigates yet another vulnerability 17 Sep 2001

 

Hotmail still vulnerable to virus attacks and infected email

Five months after it was brought to Microsoft's attention, a serious flaw in Hotmail's virus scanner still leaks emails infected by the most pernicious macro viruses - including Melissa, Marker, Ethan, Story and Footer. 13 Oct 1999

related whitepapers

today's top stories

Management

CIO priorities for the next six months: the Gartner view

Gartner research director Dave Aron outlines the three key priorities for IT leaders during the second half of 2009 13 Jul 2009

Business Alignment

The wishful CIO – the further adventures of Bob

Like a phoenix, Bob has risen from the ashes of his once fast-tracked career . He is pursuing a green agenda as... 10 Jul 2009

Talking Outsourcing

Infallabile opposition to outsourcing

The Holy Father, Pope Benedict, has warned of the dangers of outsourcing. Yes, you’d better believe it. The Vatican is now stepping... 10 Jul 2009

From The Coalface

Google Chrome OS - We didn't see that coming did we?

Reading through the various news and blog sites on the internet it seems the wheels of the rumour mill are turning apace... 10 Jul 2009

Management

Strength through unity

The friction that has traditionally characterised relations between finance and IT has no place in today’s business landscape 08 Jul 2009

> More news

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Advertisement

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Will Google Chrome OS be a genuine alternative to Windows?

Will Google Chrome OS be a genuine alternative to Windows?

Tell us your views on the new operating system rivalry

View poll results

> More polls

Latest audio and video articles

network cablesVideo

How to maximise the value of your IT networking investment

A panel of experts discuss networking strategies that deliver real value to business 03 Jul 2009

green footprintsVideo

How to manage enterprise energy use - and the role IT can play

A panel of experts explore how firms can get to grips with their carbon footprint and make smarter use of energy 01 Jul 2009

> More audio and video

Latest in-depth articles

Google ChromeAnalysis

Lack of enterprise appeal takes shine off Chrome OS

Enterprise buyers unlikely to ditch Windows for Chrome OS in the near term, say experts 09 Jul 2009

Satyam CEO CP GurnaniNews

How Satyam cleaned up its act

Chief executive CP Gurnani tells Angelica Mari why Tech Mahindra opted to keep the Satyam brand after it bought the scandal-hit services firm, and explains what the deal means for existing and prospective customers 09 Jul 2009

> More in depth articles

Advertisement

Primary Navigation