TUCoPS :: Web :: Specific Sites :: hmail10.htm

Hotmail/MS Instant Messenger - if your account is canceled, your buddy list remains and can be taken over
Vulnerability

    Hotmail/MS Instant Messenger

Affected

    Hotmail/MS Instant Messenger

Description

    James Nelson found following.  If you use a Hotmail account to log
    in to Instant Messenger, and your Hotmail account gets  cancelled,
    your contact (or 'buddy') list  does not get cleaned.   If another
    person creates a Hotmail account  using that name, they will  have
    access to your contact list, and will show up on any contact  list
    you're a part of.

    User A creates Hotmail  account superman@hotmail.com, and uses  it
    to log into  Instant Messenger. User  A adds a  bunch of contacts,
    for  instance  loislane@hotmail.com,  or  jimmyolsen@passport.com.
    If User A does not login  to the superman mailbox for some  months
    (could not find the exact  period of time on Hotmail's  web site),
    it will  be automatically  cancelled. However,  the contacts  list
    lives on.

    Let's  suppose  that  right  about   that  time  User  B   decides
    superman@hotmail.com would be a cool address, and creates it.   If
    User B installs Instant Messenger, the contacts list will  already
    be populated with  User A's friends.   Not only that,  but User  B
    will  now  appear  on  any  person  who  had added User A to their
    contact list.

    Granted that User B will probably choose a different display name,
    but since those can be arbitrarily changed, User A's friend's  may
    not think anything is amiss.

    This very thing has happened  twice to James---the first time,  he
    was  using  IM  constantly,  Hotmail  cancelled my account because
    (apparently) an Instant Messenger login doesn't reset the  Hotmail
    inactivity counter.  He asked  to have jis password reset,  and he
    was told his account never existed.  So, thinking it was a glitch,
    he recreated his account (same name).  Imagine surprise when James
    contacts were already there!

    The second  time James  simply did  not use  another account,  for
    Hotmail or IM.  One  day someone unknown appeared in  his contacts
    list.   Turned  out  that  someone  had  registered  that (by then
    cancelled) account, and had inherited his contacts list.

    Credits to  Dmitri Alperovitch  who did  a quick  audit of Instant
    Messenger when  it came  out, and  pointed out  that impersonation
    might be an issue.

Solution

    Microsoft has been  notified through their  IM feedback page.   No
    response, yet, other than the automated one.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH