Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Another Hole in Hotmail

Posted by CmdrTaco on Wed May 10, 2000 10:51 AM
from the tell-me-something-surprising dept.
Bug
Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Another Hole in Hotmail 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Same kind of thing when you go to an AOL chatroom and tell them they can get your pic by pressing ALT+F4, it's been around forever, but the cluebies still fall for it. Idiots. :\

  • Slashdot poll suggestion:

    In order to continue reading the pr0n trolls on Slashdot, you must pour a bowl of hot grits into your hard drive right now, and click OK. Do you wish to continue?

    1. Yes
    2. OK

    (Glossary: "hard drive" is usually used to denote the secondary storage device on your computer...)

  • Message I got when deleting my spam bucket:

    Message to Hotmail Members

    We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
    We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience.

    © 2000 Microsoft Corporation. All rights reserved. Terms of Service Privacy Statement
  • Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.

    Would they?

    #!/usr/bin/perl -w

    open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;

    while (<COOKIE>) {
    if (/slashdot/) {
    chomp;
    my @args = split;
    my $cookie = pop @args;
    $cookie =~ s/\%25//g;
    print pack("H*", $cookie), "\n";
    }

    }

    --
  • Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

    On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.

    Hotmail stores your user information in a session cookie, not a persistent (disk) cookie. If you close all your browser windows and access hotmail again, you are required to enter your password again... unlike Slashdot I might note.

    I know the session cookie has an expiration period, but I don't remember what it is. Probably something like 20 minutes.

    -konstant
    Yes! We are all individuals! I'm not!

  • Hotmail did. (Score:5)

    by Anonymous Coward on Wednesday May 10 2000, @06:08AM (#1081009)
    I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.

    This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.

    But then again, I rarely. So who. Well!
  • And the other 2/3 - 1 persons clicked no? Only one remembered not to run that executable?

    Right?

  • Re:you missed the point (Score:3)

    by thimo (36102) on Wednesday May 10 2000, @09:46PM (#1081019) Homepage
    The point was that people don't read the dialog.

    Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla ;), but normally it is not what you want. The point of the poster you replied to was that the user doesn't need to know that formatting is bad and thus you don't know for sure 1 out of 3 users don't read dialog boxes.

    Thimo
    --
  • Not automatically: the items still have to be selected in order to be viewed. However, that's enough for the script to run and capture session data.
  • I developed it on paid time, it was company property. I didn't keep a copy (I don't use Windows at home for anything but games, so I wasn't tempted).

    I was pretty sure it would spread to millions of computers, and I'd get a bonus. Instead I got a pat on the back from the guy in the next cubicle (who didn't install the software either), and the company refused to hire me as a regular employee when my co-op term ended (despite demonstrated ability as one of their best programmers, and their desperate need for a rewrite of an in-house package I was intimately familiar with, I was "unqualified" without a degree). Very disappointing.
  • the tricky part about this is that you don't need to click on the attachment. Hotmail, just like many of the other newer email clients, recognizes it as html code, and embeds the html page into the page automatically. Unless you've changed settings, this will happen without you actually doing anything.

    it's not a vbs file. it's an embeded javascript. there is no virus check run because it's not a virus and there isn't an anti-virus that checks for potentially malignant javascript. Hell, the creator only had to identify the cookie, the username, and the server the cookie was being held on, and automatically send all of this info to another account (which could have been a hotmail account)

    Not everyone had to actually open the attachment.
  • What kind of grammer is that?

    With very what?! Egads.

    Linux Band Bratwurst Orange [mp3.com]
    Beos Band XIR: Xir is recursive [mp3.com]


  • This is an embedded javascript exploit, just like some of the earlier exploits (not VBS as described above by CT). Hotmail is filtering out javascript within the bodies of e-mail, but not attached html files. They could remedy this by either filtering attached html files (not so easy to do) or by offloading the attachments to be read from a seperate server outside the *.hotmail.com domain (my recommendation).


    Here's an awesome story [wired.com] about another risk of using web-based e-mail. It describes how your IP address could be identified if the sender attaches an IMG tag to the e-mail and then watches the web server log for when you read the mail and your browser requests the image from her server. Clever.



    Seth
  • I used to do that with Netbus. People would be looking at porn sites or something, and I'd pop up a dialog that said "In order to continue, your hard drive must first be properly reformatted. Do you wish to continue?"

    I was nothing short of amazed at how many people clicked OK. It must have been at least a third, if not half.

  • And let that be a lesson to everyone; you're just not being malicious enough!

    You punk kid virus writers are becoming lazy no-goodniks who just want to live off the government dole! Back when I was a kid, we had to walk 7 miles through unsorted punchcards if we wanted to write a virus; and we didn't have no fancy-schmancy new-fangled "scripting languages", neither, nosirree, we had to imprint the binary on cardboard boxes, which in turn we'd mamble famble until they'd turn into finely crafted executables, yes sirree.

  • theres a Wired [wired.com] article and a ZDNet [zdnet.com] article.

    From the ZDNet article:
    Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user?s cookie to the hacker.
    Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here [peacefire.org] for a description of the trick.
    <snip>
    Not a 'trivial bug'
    Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.

    Best I could see, theres no email floating around doing this - its just an idea at this point. And for it to propagate(sp?) like luvbug or melissa, it'd need a script to use the hotmail address book. As it sits right now, it'd just come from one guy who knew lots of hotmail addresses. Someone correct me if I'm wrong on this, tho :)

    -----
    If Bill Gates had a nickel for every time Windows crashed...

  • What I saw made me laugh over and over again. The news people on almost every channel gave the following advice.

    1.) If you get an e-mail that your not expecting (hmmm all of them!) call the person and ask them if they sent you mail.
    Why don't you just drive over to their house and ask them.... DUH!

    2.) Make sure you virus software is up to date.
    Hello! This didn't work and wouldn't work because this was a NEW virus. They had a virus defintion only hours after the bug hit! What good would it have done!
  • Ok, while I disagree with your point in general, I will concede that it is the meaning of a sentance that makes the most difference. However, a trailing adjective/adverb that modifies nothing is a problem anyone can be justified complaining about. This is why it bothers us when we see stories that have sentances that just
  • Then, when the ILOVEYOU crap started, I had to send 2 separate emails with all caps in the body and a header that read "READ THIS!!" or something to get their attention. In it I said not to open attachments. Several people stopped me to ask; "Is it okay to open attachments?"
    I've always wanted to leave a claw hammer on my desk with a note attached that says:
    This is a hammer. Please do not hit yourself in the head with it. Hitting yourself in the head with this hammer will cause serious and permanent brain damage.
    That way I have something to point to when someone asks me if it's OK to open email attachments. Doesn't work too well over the phone, but I'm sure I could make use of a suitable GIF on the web server..
  • Here's the exploit:

    1) Find a story about technology (if your name is "Katz" this step is unneeded)
    2) Skim the headline of said story to "get the gist".
    3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.

    For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.

    What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
    --
    Have Exchange users? Want to run Linux? Can't afford OpenMail?

  • A Brief Explanation for the lazy (Score:5)

    by CiaranMc (149798) on Wednesday May 10 2000, @06:16AM (#1081073)
    How this seems to work is that someone emails you an HTML file as an attachment.

    If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.

    These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.

    It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.

    Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

    On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.

    -Ciaran
  • C is for cookie, that's good enough for me!

    Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>

  • Anyone who falls for something like that DESERVES to face the consequences...

    if they didn't learn all the times that the services say "DON'T GIVE YOUR PASSWORD OUT TO ANYONE", then maybe that will teach them a lesson.

    -- Dr. Eldarion --
    It's not what it is, it's something else.

  • Formatting the same as erasing? (Score:5)

    by LordNimon (85072) on Wednesday May 10 2000, @07:22AM (#1081090)
    Your post underscores the fact that many technical people have forgotton the original meaning of the words they use. It's really a shame.

    To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?

    When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.

    If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.

  • Social Engineering is easier (Score:5)

    by zpengo (99887) on Wednesday May 10 2000, @06:19AM (#1081092) Homepage
    I've seen websites that claim to give people access to anyone's Hotmail account. All you have to do is send an e-mail to a particular address that looks valid (something like account-password@hotmail.com) and give them the login of the person whose acct you want to get into, as well as your own login and password.

    I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.

  • the windoze default setting is to 'hide' the three letter file extenstion. If the attached file was named noodiepic.jpg.vbs, it would appear as noodiepic.jpg . Most people would feel safe (yet perverted) by opening this.

    After our beloved NTServer was 'Loved', the people with this setting only noticed the jpg icons had changed and kept infecting away. I changed this setting on all infected users to help remind them what file type it actually is.

  • A lot of people run programs from strangers; the press and computer industry don't do a good enough job of educating people about these things.

    I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.


  • I still have my hotmail account, I use it as my "spam bucket". You know those free website that offer free accounts (like the new york times), but you have to give them you email address? Also when registor with search engines, sign up FREE to win crap out there, just use a hotmail account and see how long it takes to fill completly full with spam (it took mine 3 days!)...

    A neat treat though, just put a filter in to filter out anything with 'A' in the subject, they allow like 5-10 filters, so delete everything that has a vowel in the subject line!
  • I've had a hotmail account for about 3 years and I still use it.

    Everytime I sign up for anything on the internet, anytime a webpage asks me for email, any time I have to put in an email address to 'register' a program, or any convention I sign up for, I put in my hotmail address... They then usually ask me a bunch of personal questions. I'm always 25-35 male, I make $100,000+/year and am single. And when you see all those little boxes where you check off your interests? Well, I check them all. Then I check (or uncheck) those boxes that ask me if I want their monthly, weekly, daily email magazine. Oh, and I want all the updates whenever they update their software/web page, etc...

    I currently get 7-8 emails a day at that address.. about twice a week I get one from Hotmail Staff telling me my mailbox is full.. :)

  • That is *absolutely* the case. That's why the ILOVEYOU virus author renamed files not from file.ext to file.vbs but to file.ext.vbs.

    Moderate Chris Hiner's post UP.
  • Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie.

    what's wrong with using the password for a permanent cookie? someone with the cookie can do anything you can do (post comments, submit articles), so why is it a big deal if they have your password?

    otoh, for something like web-based e-mail where you log in for a few minutes, you want the authentication gone when you leave the computer.

    (i wonder what hotmail does if you check the "remember my password" option..)

    --

  • The proper extension for a Word file with macros is ".dot", because it's a template (a Word template is a dynamic object which produces documents, a Word document is a static object and can't contain code) - just because Word is too stupid to complain if you name it ".doc" doesn't change that. What you're saying is like insisting that a ".jpg" can hold formatted text, arbirary JavaScript, and hyperlinks because if you rename an ".html" file to ".jpg" IE will still open it as HTML.

    At any rate, my program detected macros in files with the extension ".doc". It wasn't a program idea, it was a working program that I tested and proved effective.

    From http://www.emergency.com/wordvrus.htm [emergency.com]:

    An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.

    I hate pathetic morons who go around insulting people for imagined mistakes without checking their facts.

  • I bet in the UK you couldn't sue a restaurant (and win) because you spilled coffee on yourself.

    -- Dr. Eldarion --
    It's not what it is, it's something else.
  • At a certain large Canadian technology company, after having the email shut down by a Word macro virus panic, I once wrote a program that identifies attachments with a ".doc" extension that are actually ".dot" files (Word document templates that could contain macro viruses). If it was a real ".doc", it just opened the file with Word; if it was a ".dot", it put up a dialog box with big biohazard signs that said "This is a falsely labeled file! It could carry a virus or trojan horse! ARE YOU SURE YOU WANT TO OPEN IT?"

    Everyone who saw it, including my boss, agreed that it solved the problem completely. However, nobody installed it, and nobody outside of my department was shown it. It was almost certainly deleted shortly after I left the company, and the vulnerability (to a few specific viruses) solved several months later by purchasing expensive anti-virus software.

    Home users have an excuse: most of them are ignorant. They have a vague idea of some portion of what's on their hard drive and what's on the internet, and of the difference between an application and a document. Corporations, though, want a simple solution: money out, invulnerability to viruses in. The answers have been jumping up and biting them on the nose from any halfway decent MIS department, from security websites, from annoyed articles in the trade papers, but the managers involved want their computers to "just work", and not be bothered with having to think (or making all their employees apply common sense, which, I must admit, is about as difficult as teaching cats to march in formation).
  • My wife uses Hotmail, because she likes the convenience of getting her mail through a web browser, from any computer. I've seen a few apps for Linux that allow you to pull your mail off a POP or IMAP server, and access it through the web (ACME mail comes to mind - http://www.astray.com/acmemail/)

    Has anyone used this, or similar programs? How well do they work? How insecure are they?

    It'd be nice to set up an alternative web mail system....

    ---

  • IMG tags in emails... (Score:3)

    by ceswiedler (165311) <chris@swiedler.org> on Wednesday May 10 2000, @06:41AM (#1081131)
    Oh, yes. I've actually suggested we do something similar at our company. We send out HTML emails to our customers. The URL in the IMG tag doesn't have to be an image at all--it can be a CGI page which redirects to an image. Throw a couple of parameters (like a user-id) into the URL, and the CGI page can record exactly when users open the email. Nifty, eh? I never thought of capturing the IP address directly (not something we're interested in) but it would obviously be possible.

    Wonder if this could be exploited further?

  • I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
    Did you then go back and resolve the IP's to machine locations and send anonymous emails to the users saying "You, sir [or madam as the case may be], are a FOOL!"?

    Why would anyone in their right mind let unknown people run foreign code on their machines? Yes, I get executable attachments sometimes myself, but why would I want to run code that does who knows what? I guess I just know too much about the kind of people out there. Yeah, maybe that's it.

    Just goes to show, once again, that there are two kinds of people in the computer world -- those who know what they're doing and understand the technology, and those who are along for the ride and depend completely on their "gurus" for anything even the slightest bit off the routine.

    I have to rant a little about this because around here 9 times out of 10 people come to me to bail them out when they screw something up, and only one of my jobs pays me for that. I have very little trouble believing that quite a few people would answer "yes" to your question, and not much more trouble believing that they would come whining to more clueful people about getting their files back afterwards.

    ("No, you don't understand. You FORMATTED the hard drive. That ERASES the hard drive. Unless you backed up those files which were ON the hard drive, they're gone. Sorry .. have a nice day ..")
  • So I just tried to send a message through hotmail, and I got a 404-ish error. So I logged back in to Hotmail and later got a message while refreshing saying that the server holding my account was temporarily unavailable. Sounds like they're taking the machines offline to throw in a patch.

    I'm hella pissed, though, because the mail I was sending was to a headhunter I've been talking with about a sweet Linux job and I don't know if it went through or not.

    It's enough to make a person switch over to PEmail. Old habits die hard, though. I've been using Hotmail since before M$ bought them.

    -carl

  • You'd be surprised. (Score:5)

    by RavenWolf (23378) on Wednesday May 10 2000, @05:56AM (#1081134) Homepage
    I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
  • Like the Dilbert comic where the boss becomes irate at a statistic that 40% of sick days are on Monday and Friday.

    *gasp*!

    Pablo Nevares, "the freshmaker".

  • Dealing with human tendencies (Score:3)

    by Phydoux (137697) on Wednesday May 10 2000, @05:57AM (#1081137)
    This reminds me of something I heard a long time ago that has to do with human tendencies:

    "If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."

    You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
    --

  • There was a problem with the code I was using so this wasn't working properly earlier. It is now. There's an interesting article about this type of web trojan on kuro5hin.org [kuro5hin.org]. There's a lot of discussion about it on Zope as well. It affects just about every web site out there.

    I decided not to have the link cause you to profess your love for Bill Gates to this thread. Instead I set up a sid here [slashdot.org].

    numb

  • not just hotmail... (Score:3)

    by jesser (77961) on Wednesday May 10 2000, @07:34AM (#1081141) Homepage Journal
    remember the CERT advisory [slashdot.org] in february about untrusted people being able to make it seem like javascript code came from a trusted website? i was wondering when someone would start exploiting this seriously. almost every site with dynamic content that isn't completely controlled by the site's owner is vulnerable to similar attacks.

    the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.

    --

  • Hooray for Javascript (Score:3)

    by / (33804) on Wednesday May 10 2000, @05:59AM (#1081147)
    It doesn't actually do many of the horrible things associated with the ILOVEYOU crap, but it will let someone else commandeer your hotmail account.

    A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.
  • But that's beside the point. The fact that it re-initializes the directory structure and allocation tables is nowhere near as big of an issue as the fact that it erases all data on the drive!!!!

    Usually it doesn't actually. The data is still there but inaccessable because the OS just reset the allocation tables. You're not really losing the data, you're losing the ability to access the data in the intended mannor, its a byproduct.

    Dos even had an "unformat" command.

    -- iCEBaLM

  • File extensions (Score:5)

    by Chris Hiner (4273) on Wednesday May 10 2000, @05:59AM (#1081168) Homepage
    What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
    (Win98 may default to this too, I don't remember)

    I suspect lots of nongeeks leave it at the default...

  • Wow (Score:3)

    by zpengo (99887) on Wednesday May 10 2000, @06:00AM (#1081174) Homepage
    Another grammatically fascinating post by CmdrTaco, and another administratively fascinating event in the history of Microsoftified Hotmail.

    I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?

  • It's not the grammar that bothers me, so much as the inaccuracy of the summary. It isn't a VBS attachment that causes the problem, but rather a plain HTML attachment with embedded javascript. Even in a world of "intelligent" users, HTML is expected to be a "safer" document format, rather than "dangerous" executable code.

    I think there're a number of people you could assign the blame to, but no one entity that's "fully stupid". Users should be more careful, Hotmail should attempt some filtering, but most importantly the w3c should provide a means of denoting "third-party" HTML (and other documents) that appears to be from the server, but in reality was placed there by someone else (such as an attachment to an email or a comment in a message board that doesn't restrict HTML).

  • Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:

    The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.

    Ironically, this information is largely reproduced from the article on Peacefire [peacefire.org] cited in the original post. No mention of VBS files anywhere.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.