Hotmail & MSN Passport security...

[chicken]

I was just poking around Hotmail to attempt to find another way to log in for someone who was getting a blank screen and "done" instead of a login screen. One of the things I wanted to test was calling it up in another language just to see if it would work, so I took the "lc=1033" part out of one of the page addresses I had found and changed it to 1032, turning it arabic I think. I also changed the ID= number to find an alternative MSN Passport login site to Hotmail, and logged in there.

On returning to Hotmail's login screen, my e-mail address was now in the username field and it only required a password to get to my mail. Instead of typing a password I added the lc=1033 line into the address bar to see if it worked, and to my surprise it logged me into my mail!

So basically, if you leave a browser open that you've been logged into any MSN Passport site with, even if you have left that site another user could come along, go to Hotmail in it, type lc=1033 at the end of the address and read your mail. Luckily it seems closing the browser or pressing "Log Out" prevents access this way, but it still seems a bit unsecure to me, as you could probably access their entire passport like this.

Always close your browser behind you!

[Ramedge]

Pressing Logout Deletes the Session ID so thats why it shouldnt let you see your emails when you press logout. I expect that hotmails Sessions are set to last quite a long time.

if you left your self logged in for 10-15mins and then do what you did it shouldnt work i guess.

[chicken]

Hadn't touched it since writing that, it still works about 40 mins later.

[chicken]

Hadn't touched it since writing that, it still works about 40 mins later.

[Dr. X]

... and we wonder why so many people manage to have their hotmail accounts 'stolen'!

[Twigman]

Theyd o ave a logout button for a reason you know...

[chicken]

I know, but how often do you think people actually press it?

It's not the fact that the session is still open that surprises me, but the fact you can get into it using just 7 characters that should have absoloutely nothing to do with verification. All that 1033 means is that it is to be displayed in English.

Ah well, it was just a warning to people to log out/shut their browser upon leaving.

[Twigman]

I know, but how often do you think people actually press it?

I click logout everytime...doesnt everyone?
Obviosuly there are some dumb people out there.

[smtkr]

You certainly made it easier for me to login to my email at home. The only public terminals I use are in the lab and nothing from my current session remains after I log out (kind of annoying really--every time I come to the lab and use the web, I have a million 'you are exiting an encrypted page...check here if you don't want this displayed again' messages).