|
From: Jon Robson <los_alamos@hotmail.com> To: km@hackersclub.com <km@hackersclub.com> Subject: Hotmail vulnerability? Date: Wednesday, April 07, 1999 10:53 PM Hello there, I am what most people would consider a newbie. However, I discovered a little something about Hotmail just now, thought you might be interested. To get this to work, you must a) have somebody's hotmail account name and password; b) the person must have set up hotmail's POP mail options to recieve POP mail in Hotmail. By downloading the link that says "POP Mail" just next to the "Check for New Hotmail" link in the inbox, it is possible to view the person's ISP login name, and cleartext ISP password. Here is what I downloaded tonight (I will comment important stuff in brackets (), although you will probably already know anyways): 1st POP Account: </b></td></tr> <tr><td align="right">POP Server Name:</td> <td align="left"><input type="text" name="sname0" value="232.182.98.45" (ISP IP address or domain name) size=30 maxlength=36></td></tr> <tr><td align="right">POP User Name:</td> <td align="left"><input type="text" name="uname0" value="los_alamos"(login name, I changed it of course) size=30 maxlength=36></td></tr> <tr><td align="right">POP User Password:</td> <td align="left"><input type="password" name="upasswd0" value="luther" (unencrypted password, changed again, of course) size=30 maxlength=36></td></tr> Although this is not a HUGE vulnerablility (you need an account, and the account must have POP mail set up), this seems like a fairly easy way to get the login name and password for an ISP...from there, it shouldn't be too hard to find the dial up number, using social engineering or something. If you already knew about this, I'm sorry for bothering you with it. Oh yea, is there any way to get Java/Javascript into Hotmail messages? They filter the headers and such now, at least from what I've tried. Thank you for your time, Jon Robson ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com