Obscure hole could expose Hotmail messages

A limited though powerful hole in Hotmail allows hackers to view users' personal e-mail messages.

The hacker group Root Core has published an exploit of a vulnerability in Microsoft Corp.'s free Web-based e-mail service that would allow a user to view the private e-mails of another user. However, attacks must be targeted to a specific user and require some careful guesswork.

Through a spokeswoman, Microsoft said Hotmail engineers have identified the problem and are working to fix the hole. They hope to fix the flaw by the end of the day, she said.

There are two steps involving the hack: first, one must find out the account name (e-mail address) of the Hotmail user; second, you must find out the exact time the message you want to read was sent.

The second step, however, is what makes this exploit difficult. Messages are time-stamped in what appears to be Unix time, or the number of seconds since Jan. 1, 1970, according to Ryan Russell, an analyst at SecurityFocus.com, a business security Web site in San Mateo, California.

"It may help predict what these numbers are. It remains to be seen," he said. If a hacker knows approximately when a message was received, he can set up a program to calculate the seconds and run through messages in a given time frame to find an e-mail.

The published exploit suggests such a solution. "Now [if] typing those message numbers manually is too much work, you could create a small utility to automatically scan [a] given range of messages from specific user name. (You need to build it to work with IE, as you must be logged in Hotmail when you want to view messages...)" Much of the necessary information, however, appears to be missing from the published exploit, Russell said.

"It doesn't explain exactly how to guess the number of the message," Russell said, and at the Root Core Web site, "there has been little discussion on how hard it is."

The immediate concern for Hotmail users isn't grave, he said, since this is a targeted attack. Unlike other exploits, only one user at a time can be affected from a single hacker. He added that Microsoft tends to fix these kinds of holes soon after they're publicized.

However, this exploit points out, "the whole ASP model vulnerability," Russell said. "The good news is Microsoft can fix it in one fell swoop."

It is also difficult for security analysts to test the exploit, he said, since Microsoft could come after them for breaking into other e-mail accounts. "If they really want to know," he said, "They're going to have to put their neck on the line."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?