Feeds

Hacking Hotmail made easy

Hurry, before they close the hole

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

Some bright empiricist from Root-Core has discovered that anyone can log into their Hotmail account and then call messages from any other Hotmail account by crafting a URL with the second account's username and a valid message number.

Finding a valid message number is of course total guesswork, but they all follow a consistent format and always have the same number of digits (i.e., a time stamp), so with the help of a little brute-force progie one can try numerous combinations in the background rather than type them in.

The basic URL for an attack looks like this:

http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd? _lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSGXXXXXXXXX% 2e(X)X%26start%3d1%26len%3d99999999999%26login% 3dUSERNAME%26domain%3dhotmail%2ecom

where USERNAME is the account name, XXXXXXXXX is a nine-digit message number, and (X)X is a second number between zero and (I think) fifty-nine.

(I've inserted spaces in the URL so the page here doesn't grow a mile wide, so be sure to remove them before you play with it.)

Now, let's say you have a Hotmail account called r00tarded@hotmail.com. Just log in, click on any message in your inbox, and then look at the URL. You'll see something like this:

http://lw2fd.hotmail.msn.com/cgi-bin/getmsg? curmbox=F000000001&a=5691b2b44e104176111971aa0fbb1274&m sg=MSG998000947.3&start=197078&len=1060&msgread=1&mfs=182

Copy the URL and log out. Now, log into another of your Hotmail accounts, and commence to play.

The message number for the item you viewed in your r00tarded account is MSG998000947.3 and it needs to be inserted in the attack URL along with the username thus:

http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd? _lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi% 2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998000947% 2e3%26start%3d1%26len%3d99999999999%26login% 3dr00tarded%26domain%3dhotmail%2ecom

It's necessary that you be logged into another (any other) Hotmail account. Now copy in the attack URL, click 'go' and voila.

You can only read messages; the button links on the page don't work; they'll bounce you back to the account you're working from. But it is a nifty trick, and it is proof of a major hole in Hotmail security.

The hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.

It has a GUI but remains a bit clunky, and also needs to be paused after it brings up the Hotmail login page so you can enter a valid username and password. After two unsuccessful attempts, I got it to work as advertised. It's more a proof-of-concept exercise than a cracking tool -- so enjoy it as such.

And please, I beg you, don't contact me for tech support. I've nothing to do with it. It works; it does take a bit of tweaking; so just give it a whirl and be playful. ®

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.