Hotmail cookies in the hotseat

Discussion in 'privacy problems' started by snowman, May 5, 2002.

Thread Status:
Not open for further replies.
  1. snowman

    snowman Guest

            Hotmail at Risk to Cookie Thieves
    .
    .
    MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and apparently being exploited.
    .
    The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.
    .
    "What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in," said Eric Glover, a New Jersey-based programmer who has a doctorate in computer science from the University of Michigan.
    .
    Glover said he unearthed the Hotmail cookie problem when a friend's former boss started accessing the friend's Hotmail account -- and continued to use the account even after the pal repeatedly changed her password.
    .
    After studying Hotmail's sign-on process, Glover concluded that the snoopy manager likely had grabbed a copy of the Hotmail cookies from the friend's work computer or a back-up tape and had been using them to digitally unlock her Web mail account.
    .
    Microsoft officials said Thursday that the Hotmail service offers users several tools to limit what the company terms "cookie-based replay attacks" but added that Microsoft is "always looking at ways to protect users further, as well as giving them more control over their online experience."
    .
    Security experts, however, said today that the Hotmail vulnerability exposes the risks of relying on browser cookies as the digital keys to Internet sites.

    .
    Cookies, the small data files placed on an Internet user's computer when visiting websites, are primarily used to identify visitors for the purpose of customizing content such as advertising. But many sites, including Hotmail, also rely on cookies for more serious authentication purposes.
    .
    For such sites, the cookie is akin to an ATM banking card that doesn't also require the holder to provide a password. Lose the "card" and you may give up your security....
    .

    .          
    http://boards.cramsession.com/boards/vbm.asp?m=543274




           * MODS,   if this is the in-corrected forum please feel free to move accordingly......thanks


                             snowman
     
  2. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I really wish these people would stop using *&*^%$%£ Hippy Language when describing what we do online.  Will they ever grow up and speak moderate English?
     
  3. snowman

    snowman Guest

              Checkout

              LOL....maybe thats the M$ way of saying "gee, we don't know how to correct this"""



                              snowman
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    D@mn you are funny Checkout!

    I agree, everything is an "experience." MS isn't the only one who does that though. It is a marketing angle with which companies attempt to lure in uneducated (with computers that is) people who have money into buying what they are selling. Take AOL for instance. You have seen the commercials. Are they talking about the same internet I use? Sounds like version 7 of the internet is available only for AOL users. Utter rubish, but sadly, it is extremely effective. Retired and wealthy grandma and grandpa can't sign up fast enough. They buy a Dell or a Compaq or some other piece of junk, get AOL and then email every funny thing they see to everybody on their list. Viruses and All.

    Marketing makes the world go round (not love unfortunately)
     
  5. Checkout;

    Checkout; Guest

    Let's celebrate that with a Group Hug.  I lurv ya, Man!
     
  6. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada

    please don't lurv me, it is against my religion to lurv.
     
  7. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    May I point out that Checkout never requested you return his lurv?
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    A little off-topic, no?  ;)
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    No, Man!  I lurv Hotmail Cookies, they bring peace to the World.  I stick daisies in the barrels on Hotmail Top Guns and I rattle my beads at their spam.  My mantra is "Microsoft!  Microsoft!  Microsoft!" and Gates, lurv him, is like this big Daddy of cosmic coding.  Take a trip.  Tune in, turn on, reboot.  Yeah!
     
  10. snowman

    snowman Guest

           WHOA.....someone open a window..there is the smell of wacky tabacky in the house!!!!



                      snowman
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    hey Check out, you sure you are not from BC?
     
  12. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    As I look at the window at a drizzly Dublin day, I'd say, yeah, pretty sure.  :)
     
  13. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Too bad, you'd get along famously around here.
     
Thread Status:
Not open for further replies.