Big Hotmail Security Risk, and solutions
If you ever access Hotmail from a machine shared with others, you are very vulnerable to this attack. The full message is at Totse.com, which I have not yet caught in any bloopers. Here's a summary:
MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and could be easily exploited. The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.
What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in.
But even with the expiration option enabled at its most secure setting, testing showed that a cookie could be exported to another computer and still used to authenticate a password-less Hotmail login 24 hours later.
There's little Microsoft can do to guard Hotmail users against cookie attacks. Since Hotmail is designed to allow users to access their accounts from any computer anywhere, the service's authentication cookies do not appear to constrain access based on a user's Internet Protocol address.
A Hotmail user's best defense against cookie robbers is to shun the "keep me signed in" option, and to follow Microsoft's advice and click the service's sign-out icon when finished with a Hotmail session.
Note: The Firefox web browser, free from Mozilla, allows easy erasure of cookies by clicking on
Tools Option Privacy Clear (Cookies)
You may add another free extension which turns cookie clearing into a two-click process. I have used that "x" extension for over three months with no problems
In Internet Explorer, click on
Tools Internet Option General tab (if not already selected) Temporary Internet Files Delete Cookies Yes Exit from IE Go to the Desktop Right-click on the Recycle Bin and erase of the files there then defrag the machine to make sure those deleted files can't be undeleted.
So, if you must use a shared machine, make sure you know how to purge cookies from its hard drive, or find a web-based e-mail service less easily cracked.
AboutCookies.org offers more information about 'cookies' and web browsers.