----------Weekly News
Hackers shortcut Hotmail password reset
protections
By Brian Krebs, Newsbytes.
September13, 2004
Security researchers have discovered a vulnerability in Microsoft Corp.'s
Hotmail service that allows hackers to bypass security questions that users
must answer before resetting their passwords.
Normally, if Hotmail users forget their password they must fill out a Web
form that requires their e-mail address, state, zip code and country. Users
who enter the correct information are then prompted for the answer to the
"secret question" they selected when signing up for the service.
According to information obtained by Newsbytes, hackers recently discovered
a way to skip the validation form and go directly to any user's "secret
question" prompt. From there, the intruder is only one step away from
resetting the user's password.
Sources say that since the discovery of the security hole roughly two weeks
ago, a small cadre of hackers has been patiently checking a long list of
high-profile and desirable usernames for easily-guessed answers to secret
questions.
Screenshots obtained by Newsbytes showed that the password and secret
question for at least one highly desirable Hotmail username of the sort
traditionally reserved for system administrators had been changed to "Who
owns you????" Another hacked secret question was changed to an Internet
address for a hacker group's Web site.
"It got my attention right off, because I know I've never taken those
'secret question' things seriously enough to jot in anything other than 'abcdef'
or 'whatnot'," said Adrian Lamo, a security researcher who reported the
problem to Microsoft through Newsbytes.
As a result of the vulnerability, many Hotmail users who rely on a variation
of "What's my favorite color" for a secret question could find themselves
shut out of their Webmail, Lamo said.
A Microsoft spokesman said there was nothing wrong with the company's e-mail
login service, and noted that Microsoft leaves it up to users to make their
secret questions as secure as possible.
The security problem posed by the exploit doesn't stop at e-mail, however.
Hotmail authentication also automatically signs the user in to other
Microsoft services, such as .Net Passport, a service that allows users to
automatically transfer personal and financial information about themselves
to approximately 100 participating merchant Web sites.
Armed with a user's Hotmail sign-on, an intruder could theoretically shop at
any one of the participating merchants, bill the purchases to the hijacked
user account and ship the item to another address, Lamo said.
The new vulnerability is the latest in a string of security problems with
Hotmail, a service that claims more than 200 million users.
Last month, scores of Microsoft's Gaming Zone users found themselves faced
with Hotmail address books containing the names and addresses of total
strangers. Some who attempted to compose messages from the account were
startled to see a signature line automatically attached to the bottom of
their messages, bearing the name and contact information of someone they had
never heard of.
Throughout last year, hackers discovered various ways of imbedding Hotmail
messages with Javascript code that redirected users to a fake Hotmail site
designed to trick them into re-entering their password.
In this instance, however, the keys to the exploit are actually hidden
within the source code for the Hotmail login page. The code, visible to
anyone knowledgeable enough to select "View Source" from the menu of their
Web browser, reveals a "hidden" field that Ð when populated with the desired
username, saved as an HTML file and executed in a Web browser Ð produces the
targeted user's "secret question."
"Cisco Kid" Ð the nickname for the hacker who helped to develop the exploit,
said Microsoft simply has no good explanation for leaving something so
central to authentication in plain text.
"It was quite disconcerting to see such a seemingly heavily protected
Web-site and e-mail service overlook the prospect of encrypting information
pertaining to resetting passwords," the Kid said.
