Old IE Means New Hotmail Vulnerability

Hotmail Users Need to Update Browser For many people, the axiom, "If it ain't broke, don't fix it", is their modus operandi. With so many other things to worry about, updating a browser that seems to be working fine just isn't a high priority. However, a recently discovered security bug in Hotmail may serve as a wakeup call to all Internet Explorer 4.x and 5.0 users. BugNet has verified a security vulnerability that would allow a malicious user to usurp control of someone else's Hotmail account, allowing the hacker to read and to send e-mail from that account. Because this security hole can be thwarted by upgrading IE, we recommend that all Hotmail users verify that they are running the most current version of the Microsoft

browser.? With testing provided by KeyLabs, BugNet was able to verify this Hotmail vulnerability reported by an Internet developer in Denizli, Turkey. Alp Sinan, an e-commerce and security consultant, supplied demonstration code that allowed us to gain access to test e-mail accounts on the Hotmail server. The exploit involves using a previously reported security hole in IE ("Unauthorized Cookie Access") to steal an unsuspecting user's Hotmail cookie. That cookie is then used to authenticate the malicious user to the victim's Hotmail account. While newer versions of IE prevent a hacker from stealing cookies, there are still a lot of Internet users that use the default browser that came with the Windows 95 and Windows 98. For many, the size of the download has prevented them from upgrading over a dialup connection. Since Microsoft has issued Service Packs and Upgrades for the "Unauthorized Cookie Access" bug, this leaves the rest of the blame with Hotmail for their lax security and authentication procedures. Hotmail's authentication is built on session cookies. When a user logs in, Hotmail sends the user an encoded cookie that the browser uses to authenticate with the Hotmail server throughout the life of the Hotmail session. If the user can be tricked into sending this session cookie to a hacker, then the hacker could also gain access to the victim's account. The hacker might do this by enticing the user to click on a carefully constructed Internet link within an e-mail or on a web page. BugNet informed Hotmail of the vulnerability and included sample code. To date we have not received any feedback. Until Hotmail changes it's security mechanism, the only fix is to update IE to versions 5.1 with Service Pack 1, or to upgrade IE to version 5.5. Both of these are freely downloadable from Microsoft's site. Stay tuned for more information as it becomes available.