Thought the list might be interested in this tidbit.
I was under the impression that hotmail was running qmail on *nix servers,
and that when purchased by microsoft, they attempted to switch it all over
to NT, but failed and ended up not changing anything. Perhaps they did
change to NT, or perhaps the exploit, which was apparently some type of
maintenace account or an easter egg left by a developper was there all
along. Just goes to show you, don't trust precompiled binaries and
pre-installed software :)
Interestingly HNN didn't have anything on this (except a link to the
cracked site " www.hotmailhack.com " which also still seems to be
cracked, too :) but maybe they did last week and it snuck right by.
---------- Forwarded message ----------
Subject: Hotmail Accounts Exposed to All
Hotmail Accounts Exposed to
All
by Declan McCullagh
8:05 a.m. 30.Aug.99.PDT
A catastrophic security flaw in
Microsoft's Hotmail service lets
anyone read the private
correspondence of about 50
million subscribers.
The bug appears to affect all
customers of what Microsoft says
is "the world's largest provider of
free Web-based email."
See also: 'A Flaw Worse Than
Melissa'
As of approximately 8:30 a.m.
Monday morning, Microsoft had
shut off its Hotmail service to
legitimate users. However, the
security exploit still worked by
accessing the alternative servers
whose Web address had been
widely posted throughout the
weekend.
This effectively shut off the site
to all but the hackers. The move
also stopped legitimate users
from changing their passwords.
A Swedish newspaper, Expressen
, reported the bug in its Monday
editions. The bug lets anyone log
into a Hotmail account without
typing a password.
The exploit, verified by Wired
News, works this way: A Web
page with nine lines of HTML
code can connect to a Hotmail
server without requiring a user to
enter a password. By early
Monday, copies of those nine
lines of HTML source were
circulating widely around the Net
and mirrored on hacking-related
Web sites.
"We know nothing about [the
individual who tipped us]. It was
anonymous," said Christian
Carrwik, one of two Expressen
reporters who broke the news. "It
has been circulating for a couple
of days."
"The most interesting thing is
that Microsoft said it is working
on the problem, but they haven't
closed down Hotmail, or sent any
warning to their users," Carrwik
said. "The backdoor is still open
and more and more people are
discovering it."
Expressen said Microsoft was
alerted very early Sunday
morning. The company could not
immediately be reached for
comment.
snip
http://www.wired.com/news/news/business/story/21490.html
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
