Security - Web vulnerability exposed by Hotmail embarrassment

Ex-hacker says Microsoft left Hotmail's front door wide open.

Written by newmedia newmedia

Network IT Week, 07 Sep 1999

Network managers have been urged to review their own web security practices after Microsoft's Hotmail service became subject to one of the highest-profile internet hacks in the web's history.

The 'hole' in Hotmail's security meant that full access to more than 40 million Hotmail subscribers' accounts could be gained by simply entering a special URL.

A previously unknown group, Hackers Unite, has claimed responsibility for the attack.

The crackers modified freeware code to allow entry to Hotmail accounts, via a URL, without the need to provide passwords.

Details of the exploit were posted on a website in Sweden last week and were quickly copied to a number of other sites in the UK and US.

Microsoft, which was forced to take down the Hotmail service for two hours, has posted an apology and stated that its engineers have solved the problem.

Ex-hacker Mathew Bevan, now a consultant at Tiger Security, speculated that the exploit may have relied on an intentional 'backdoor' left open by Microsoft.

"This was either an oversight or an inside job," said Bevan, who added that, bad as the breach was, exploits against Microsoft's applications present a far more serious problem.

David Butler, a security analyst at Axent Technologies, said the breach is serious because many companies use web-based email services, such as Hotmail.

"It seems that a script existed and was left on a server without protection, so it could be read and exploited," said Butler.

Butler said test scripts carelessly left on web servers constituted a common class of vulnerability, and advised regular housekeeping.

HOW HOTMAIL WAS HACKED

The code needed to exploit the Hotmail breach required only five lines of Common Gateway Interface (CGI) HTML script. This is applied to a common Hotmail gateway http://wya-pop.hotmail.com/cgi-bin/start.

This skeleton 'key' code looks like: http://207.82.250.251/cgi-bin/start?curmbox= ACTIVE&js=no&login=username&passwd=eh

All that was needed was to cut and paste the above code in a web browser and replace 'username' with someone's Hotmail user name.

  • Have your say
  • Send to a friend
  • Print this
  • Share

Tags:

reader comments

related articles

New hacker risk hits Hotmail users

Microsoft investigates yet another vulnerability 17 Sep 2001

 

Hotmail still vulnerable to virus attacks and infected email

Five months after it was brought to Microsoft's attention, a serious flaw in Hotmail's virus scanner still leaks emails infected by the most pernicious macro viruses - including Melissa, Marker, Ethan, Story and Footer. 13 Oct 1999

related whitepapers

today's top stories

Communications

Protests greet new Digital Economy Bill amendment

ISPs, digital rights groups and Liberal Democrat supporters cry foul 05 Mar 2010

Management

Publishing special - Publishers innovate to survive

1) IT could hold the key to the future of publishing 2) Case Study: The Guardian harnesses social and mobile apps 3) How publishers are reacting to the iPad 02 Mar 2010

Internet

The dangers and delights of the web

The anonymity that the internet affords can foster lively and robust debate – but it also brings dangers 02 Mar 2010

Communications

All mod comms

Unified communications systems can lower communication costs while enabling staff to work in a more flexible and productive way, as Martin Courtney reports 02 Mar 2010

Management

IT Leaders' Forum in association with IBM

A unique opportunity to hear from expert speakers and engage in a debate about the future of the CIO job function 29 Jan 2010

> More news

Advertisement

Subscribe

Keys to successful Serviceā€Oriented Architecture implementation

This white paper explores best practices and general design patterns for service oriented architecture (SOA).

The Roadmap to IT Maturity — Matching Strategy to Infrastructure for Business Success

This paper defines a roadmap for matching infrastructure strategy to business success.

Advertisement

Keep up to date with the latest products, services and technologies from the world's leading IT companies; ITHound.com brings you over 6,000 white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

Latest poll

Public disclosure

Public disclosure

Should companies be compelled to go public on data breaches?

View poll results

> More polls

Latest audio and video articles

Video

HP unveils S Series notebooks

'Prosumer' line overhauled 01 Mar 2010

Web Seminar Listings

Preparing for enterprise-scale Windows 7 migration

The web seminar on 18 Feb will discuss how Windows 7 migration can increase IT efficiency in large enterprises, freeing up budgetary and personnel resources to focus on business innovation. Our panel of experts will examine the strategies, tools and services IT leaders can use to migrate successfully and reap the rewards of increased efficiency. 19 Feb 2010

> More audio and video

Latest in-depth articles

Stoneleigh Park show ground. Pic: Dave HamsterFeatures

Harnessing the benefits of unified communications

The reasons for adopting unified communications can be as varied and contrasting as the adopters themselves, as Martin Courtney discovers 09 Mar 2010

University of SheffieldFeatures

Case study: University of Sheffield

University shows a high degree of forward thinking with UC 09 Mar 2010

> More in depth articles

Primary Navigation