Hotmail hacked yet again - Microsoft thankful.
Well it looks like Microsoft's Hotmail and Passport services have been hacked
yet again. This time however, Microsoft owes this computer geek their soul. Jeremiah
Grossman, a former security auditor for Yahoo!, had created a mere 3 lines of code
which compromised Hotmail and Passport. After it had been patched, in a short
matter of time he released another single line of code. The only difference however, is he released the
information to Microsoft directly, who promptly patched each of the gaping security
holes. Mr. Grossman is confident that given 8 hours, he could break Microsoft's
security again.
L33tdawg: I wouldn't be surprised if he could do it in less than 8 hours. We've seen more than enough exploits released in the past with regards to hacking Hotmail that it's getting pretty old.
Expert Hacks Hotmail in One Line of Code
By Byron Acohido
Special to NewsFactor Network
August 31, 2001
Twice this month, Internet security consultant Jeremiah Grossman, 24, poked gaping security holes in Hotmail and Passport, Microsoft's free Web-based e-mail and identity-authentication services.
It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line. And the former Yahoo security auditor says he could do it again given 8 hours.
Grossman wasn't out to steal. Instead, he alerted a grateful Microsoft, which patched the holes before a malicious hacker could exploit them.
'Cross-Site Scripting'
Grossman's work signals the arrival of a new class of Internet security concerns, experts say. He used a "cross-site scripting" technique to piggyback invasive code on tiny programs that run live on Web pages to make them more interactive.
With Microsoft and others driving hard to make the Internet a primary channel for consumer and business transactions, cross-site scripting looms as a rising threat.
"It's easy ? to dream up very, very bad scenarios," says Shawn Hernan, security analyst for the federally funded Computer Emergency Response Team, which tracks hacker attacks.
Cross-site scripting was first noticed in 1997 when Web sites weren't nearly so interactive. Security experts are just now noticing the avenues it opens for hackers to slip past firewalls meant to protect sensitive data.
Limitless Iterations
Experts worry that cross-site scripting has almost limitless iterations, and that it may be only a matter of time before it becomes a method of choice of clever hackers.
"It's a breeding ground for new types of Web security vulnerabilities," says Grossman, who left Yahoo 2 months ago to run his firm, WhiteHat Security.
And the opportunities for hackers are multiplying as Web sites add more features and services, experts say.
Hotmail, with 110 million users, and Passport have from time to time been hacked and patched. Next year Microsoft will introduce Web services, dubbed HailStorm, to spur Web users to buy goods, schedule appointments and receive reminders via the Internet using PCs, cell phones and other devices.
Evolving Challenges
Yet the more convenient and flexible Microsoft and others make the Web, the more leeway they provide for intrusions.
"Once we get into HailStorm, where we're storing lots of data in a Microsoft storage locker, firewalls won't help one bit. And the way people will be able to break in is through cross-site scripting," predicts Richard Smith, chief technology officer at the non-profit Privacy Foundation.
Microsoft spokesman Adam Sohn acknowledges that the industry faces an "evolving set" of security challenges, but expressed confidence that new systems and smarter practices will thwart hacking.
"We're absolutely committed to ensuring users a safe and secure computer experience online."