Web kiloseven.blogspot.com
www.arrl.org www.eham.net

2005-08-16

Big Hotmail Security Risk, and solutions

If you ever access Hotmail from a machine shared with others, you are very vulnerable to this attack. The full message is at Totse.com, which I have not yet caught in any bloopers. Here's a summary:

MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and could be easily exploited. The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.

What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in.

{snip}

But even with the expiration option enabled at its most secure setting, testing showed that a cookie could be exported to another computer and still used to authenticate a password-less Hotmail login 24 hours later.

There's little Microsoft can do to guard Hotmail users against cookie attacks. Since Hotmail is designed to allow users to access their accounts from any computer anywhere, the service's authentication cookies do not appear to constrain access based on a user's Internet Protocol address.

A Hotmail user's best defense against cookie robbers is to shun the "keep me signed in" option, and to follow Microsoft's advice and click the service's sign-out icon when finished with a Hotmail session.

{snip}

Note: The Firefox web browser, free from Mozilla, allows easy erasure of cookies by clicking on
  • Tools
  • Option
  • Privacy
  • Clear (Cookies)
and supports S/MIME encrypted e-mail with this free plug-in 'extension'.

You may add another free extension which turns cookie clearing into a two-click process. I have used that "x" extension for over three months with no problems

In Internet Explorer, click on
  • Tools
  • Internet Option
  • General tab (if not already selected)
  • Temporary Internet Files
  • Delete Cookies
  • Yes
  • Exit from IE
  • Go to the Desktop
  • Right-click on the Recycle Bin and erase of the files there
  • then defrag the machine to make sure those deleted files can't be undeleted.

So, if you must use a shared machine, make sure you know how to purge cookies from its hard drive, or find a web-based e-mail service less easily cracked.
If you wish me to send you an invite for a free-email service I've found reliable and secure, Gmail (by Google), reply to me at the e-mail address in the box at the top of this page, and I'll send it to you.

AboutCookies.org offers more information about 'cookies' and web browsers.