Posts

Showing posts from August, 2005

Big Hotmail Security Risk, and solutions

If you ever access Hotmail from a machine shared with others, you are very vulnerable to this attack. The full message is at Totse.com, which I have not yet caught in any bloopers. Here's a summary:

MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and could be easily exploited. The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.

What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in.

{snip}

But even with the expiration option enabled at its most secure setting, testing showed that a cookie could be exported to another computer and still used to authenticate a password-less Hotmail login 24 hours later.

There's little Microsoft can d…