Business
Hotmail meltdown: How it happened
How bad was the Hotmail crash? According to Microsoft's letter to its users, it was simply a matter of "service issues" that "generated questions about security."
But we thought stronger words might be used, since Sm@rt Reseller writers, during the service's vulnerable period, had to resist the temptation to read Microsoft President Steve Ballmer's personal e-mail. Everyone, but everyone's, Hotmail mailbox was compromised.
The security problem has been fixed, but the question remains: How could such a thing happen? As Sm@rt Reseller has found after an investigation -- all too easily.
Some reports suggested that a hacker group named "Hackers Unite" uncovered the security hole.
However, the person cited most often for finding the hole is Michael Nobilio, a programmer at the Swedish Web design company PIPE. Nobilio saw his discovery as a mechanism for Hotmail users to easily access their accounts -- without considering that his discovery would also leave the door open for intruders. Nobilio then wrote a program, Hotmail Login ID Storage Program 1.1, to enable users to easily access their e-mail.
'Wide open'
Nobilio, however, isn't a cracker. His program was slightly modified by others to exploit the hole. The Hotmail vulnerability was the equivalent of a hole in a wall big enough to drive the proverbial Mac truck through. The code needed to exploit the hole requires only five lines of Common Gateway Interface (CGI) HTML. This skeleton "key" code looks like: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=username &passwd=eh According to Network Solutions records, the system behind the IP address is, to no surprise, wya-pop.hotmail.com, an important Hotmail gateway system. To go through this hole, you didn't even need Nobilio's program. All you needed to do was put the above code in a Web browser and replace username with someone's Hotmail user name. That's it. No computer voodoo required, no hackerish expertise needed. Once the hole was known, at least half a dozen sites implemented the code in simple Web pages. This enabled even novice Web surfers to use a browser to simply type in someone's name in a field to raid their mailbox. So, what caused the Hotmail security hole? It has nothing to do with a fundamental flaw with Hotmail software, the operating system or the architecture. There's also no evidence that the security vulnerability was a "backdoor" left in the Hotmail program to enable programmers to sneak peeks at users' mail. Search for safer e-mail
No, the problem exploited by Nobilio's script, was the result of sloppy CGI coding. By implicitly trusting information sent in the above Uniform Resource Locator (URL) data and format, and not requiring any further user password check, Hotmail's security door was left wide open. Microsoft addressed the problem on Monday. By Monday evening, the hole had been closed. Still, the vulnerability may have been known for several days before it was reported to Microsoft by a Swedish newspaper on Sunday morning. Today, that's history. Still, given Hotmail's history of security holes, the ease by which this one could be exploited, and the scope of just what a huge hole it was, resellers and users cannot be blamed for looking for safer e-mail systems.
Nobilio, however, isn't a cracker. His program was slightly modified by others to exploit the hole. The Hotmail vulnerability was the equivalent of a hole in a wall big enough to drive the proverbial Mac truck through. The code needed to exploit the hole requires only five lines of Common Gateway Interface (CGI) HTML. This skeleton "key" code looks like: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=username &passwd=eh According to Network Solutions records, the system behind the IP address is, to no surprise, wya-pop.hotmail.com, an important Hotmail gateway system. To go through this hole, you didn't even need Nobilio's program. All you needed to do was put the above code in a Web browser and replace username with someone's Hotmail user name. That's it. No computer voodoo required, no hackerish expertise needed. Once the hole was known, at least half a dozen sites implemented the code in simple Web pages. This enabled even novice Web surfers to use a browser to simply type in someone's name in a field to raid their mailbox. So, what caused the Hotmail security hole? It has nothing to do with a fundamental flaw with Hotmail software, the operating system or the architecture. There's also no evidence that the security vulnerability was a "backdoor" left in the Hotmail program to enable programmers to sneak peeks at users' mail. Search for safer e-mail
No, the problem exploited by Nobilio's script, was the result of sloppy CGI coding. By implicitly trusting information sent in the above Uniform Resource Locator (URL) data and format, and not requiring any further user password check, Hotmail's security door was left wide open. Microsoft addressed the problem on Monday. By Monday evening, the hole had been closed. Still, the vulnerability may have been known for several days before it was reported to Microsoft by a Swedish newspaper on Sunday morning. Today, that's history. Still, given Hotmail's history of security holes, the ease by which this one could be exploited, and the scope of just what a huge hole it was, resellers and users cannot be blamed for looking for safer e-mail systems.