VoyForums
[ Show ]
Support VoyForums
[ Shrink ]
VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 12:28:59 09/12/00 Tue
Author: CZ
Subject: Info for the hotmail hacker!

IE bug could compromise your Hotmail account
Contributed by: gzer0. Date: 09/02/00 17:31:46


An new exploit of an old bug that was reported on May 17 of this year could mean that your Hotmail accounts are at risk. The exploit works by enticing a Hotmail customer running Internet Explorer 4.x or 5.0 into clicking a carefully constructed link that would then access cookie information on the victims Hotmail account, hence compromising it.

This bug was originally reported to BugNet - a company that produces fixes for known bugs - by an Internet developer from Denizli, Turkey. Alp Sinan, owner of PRONET, a security consulting company, was able to apply the "Unauthorized Cookie Access" vulnerability in a new way to create this exploit. Using his sample code, we were able gain access to our test Hotmail accounts and not only read but also write e-mails on the unauthorized account.

The core of the problem within Hotmail is that the security is built on cookies (mostly session cookies). Hotmail's current authentication works as follows: Hotmail sends the user an encoded cookie when the user's sign-in name and password are entered. The user's browser then uses the information in the cookie to authenticate with the Hotmail server throughout the life of the Hotmail session. If the user can be tricked into sending this session cookie to a hacker, then the hacker can also gain access to the victim's account.

The bug is confirmed to affect versions 4.x to 5.0 only, where as version 5.1 and 5.5 are immune. Currently, the only way to protect your Hotmail account is to upgrade Internet Explorer with either the Internet Explorer 5.01 Service Pack 1 or by upgrading to Internet Explorer 5.5.

[ Next Thread | Previous Thread | Next Message | Previous Message ]
Post a message:
This forum requires an account to post.
[ Create Account ]
[ Login ]
[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.