Old Internet Explorer plus new Hotmail equals big vulnerability

BugNet has validated a security vulnerability that could allow a malicious user to gain access to your Hotmail account

Haven't upgraded Internet Explorer yet? Maybe this will convince you.

BugNet has validated a security vulnerability that could allow a malicious user to gain access to your Hotmail account. By enticing a Hotmail customer running Internet Explorer 4.x or 5.0 into clicking on a carefully constructed link, the unwary victim would be tricked into abdicating crucial cookie information that would allow the hacker to gain access to the Hotmail account.

This is not a new bug, but a new exploit of an old bug originally reported on May 17, 2000.

Even though newer versions of Internet Explorer are readily available, there are still a lot of people using the version that came with Windows 98. For some, they don't want to touch something that seems to be working fine. For others, the sheer size of the download makes the prospect of upgrading over a dial-up connection seem like an insurmountable task. This latest security alert should serve as a wake up call that maybe it is time to bite the bullet and upgrade.

We used KeyLabs to verify this vulnerability on systems running Internet Explorer versions 4.x and 5.0. KeyLabs was also able to verify that versions 5.1 and 5.5 are immune.

This bug was originally reported to BugNet by an Internet developer from Denizli, Turkey. Alp Sinan, owner of PRONET, a security consulting company, was able to apply the "Unauthorized Cookie Access" vulnerability in a new way to create this exploit. Using his sample code, we were able gain access to our test Hotmail accounts and not only read but also write e-mails on the unauthorized account.

The core of the problem within Hotmail is that the security is built on cookies (mostly session cookies). Hotmail's current authentication works as follows: Hotmail sends the user an encoded cookie when the user's sign-in name and password are entered. The user's browser then uses the information in the cookie to authenticate with the Hotmail server throughout the life of the Hotmail session. If the user can be tricked into sending this session cookie to a hacker, then the hacker can also gain access to the victim's account.

While it is true that Microsoft has eliminated the "Unauthorized Cookie Access" problem with its latest releases of Internet Explorer, our concern is that we don't know what new browser bugs are going to emerge tomorrow. Therefore, a Web site like Hotmail has a fiduciary responsibility to protect user information.

Somethings we might suggest to Hotmail is that when the Web site sets an authentication cookie, it needs to include variables representing important information like the user's session IP address or the computer name. This would prevent the cookie information from being used on another system. In the meantime, it's time to upgrade your browser.

This alert focused only on Internet Explorer, but our experience in testing this bug leads us to believe that Netscape is likely to suffer from the same Hotmail vulnerability. Currently, the only way to protect your Hotmail account is to upgrade Internet Explorer with either the Internet Explorer 5.01 Service Pack 1 or by downloading Internet Explorer 5.5. You can also upgrade your older version of Netscape with its latest, Netscape 4.75.