Obscure hole could expose Hotmail messages

A limited though powerful hole in Hotmail allows hackers to view users' personal e-mail messages.

The hacker group Root Core has published an exploit of a vulnerability in Microsoft Corp.'s free Web-based e-mail service that would allow a user to view the private e-mails of another user. However, attacks must be targeted to a specific user and require some careful guesswork.

Through a spokeswoman, Microsoft said Hotmail engineers have identified the problem and are working to fix the hole. They hope to fix the flaw by the end of the day, she said.

There are two steps involving the hack: first, one must find out the account name (e-mail address) of the Hotmail user; second, you must find out the exact time the message you want to read was sent.

The second step, however, is what makes this exploit difficult. Messages are time-stamped in what appears to be Unix time, or the number of seconds since Jan. 1, 1970, according to Ryan Russell, an analyst at SecurityFocus.com, a business security Web site in San Mateo, California.

"It may help predict what these numbers are. It remains to be seen," he said. If a hacker knows approximately when a message was received, he can set up a program to calculate the seconds and run through messages in a given time frame to find an e-mail.

The published exploit suggests such a solution. "Now [if] typing those message numbers manually is too much work, you could create a small utility to automatically scan [a] given range of messages from specific user name. (You need to build it to work with IE, as you must be logged in Hotmail when you want to view messages...)" Much of the necessary information, however, appears to be missing from the published exploit, Russell said.

"It doesn't explain exactly how to guess the number of the message," Russell said, and at the Root Core Web site, "there has been little discussion on how hard it is."

The immediate concern for Hotmail users isn't grave, he said, since this is a targeted attack. Unlike other exploits, only one user at a time can be affected from a single hacker. He added that Microsoft tends to fix these kinds of holes soon after they're publicized.

However, this exploit points out, "the whole ASP model vulnerability," Russell said. "The good news is Microsoft can fix it in one fell swoop."

It is also difficult for security analysts to test the exploit, he said, since Microsoft could come after them for breaking into other e-mail accounts. "If they really want to know," he said, "They're going to have to put their neck on the line."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?