TUCoPS :: Web :: Specific Sites :: hotmai~1.txt

Hotmail Vulnerability

From: Jon Robson <los_alamos@hotmail.com>
To: km@hackersclub.com <km@hackersclub.com>
Subject: Hotmail vulnerability?
Date: Wednesday, April 07, 1999 10:53 PM

Hello there,

I am what most people would consider a newbie.  However, I discovered 
a little something about Hotmail just now, thought you might be 
interested.  To get this to work, you must a) have somebody's hotmail 
account name and password; b) the person must have set up hotmail's 
POP mail options to recieve POP mail in Hotmail.  By downloading the 
link that says "POP Mail" just next to the "Check for New Hotmail" 
link in the inbox, it is possible to view the person's ISP login name, 
and cleartext ISP password.  Here is what I downloaded tonight (I will 
comment important stuff in brackets (), although you will probably 
already know anyways):

1st POP Account: </b></td></tr>
<tr><td align="right">POP Server Name:</td>
<td align="left"><input type="text" name="sname0" 
value="232.182.98.45" (ISP IP address or domain name) size=30 
maxlength=36></td></tr>
<tr><td align="right">POP User Name:</td>
<td align="left"><input type="text" name="uname0" 
value="los_alamos"(login name, I changed it of course) size=30 
maxlength=36></td></tr>
<tr><td align="right">POP User Password:</td>
<td align="left"><input type="password" name="upasswd0" value="luther" 
(unencrypted password, changed again, of course) size=30 
maxlength=36></td></tr>

Although this is not a HUGE vulnerablility (you need an account, and 
the account must have POP mail set up), this seems like a fairly easy 
way to get the login name and password for an ISP...from there, it 
shouldn't be too hard to find the dial up number, using social 
engineering or something.  If you already knew about this, I'm sorry 
for bothering you with it.  Oh yea, is there any way to get 
Java/Javascript into Hotmail messages?  They filter the headers and 
such now, at least from what I've tried.  

Thank you for your time,

Jon Robson  

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH