Hotmail Hole Could Expose Your Messages

A limited though powerful hole in Hotmail allows hackers to view users' personal e-mail messages.

The hacker group Root Core has published an exploit of a vulnerability in Microsoft's free Web-based e-mail service that would allow a user to view the private e-mails of another user. However, attacks must be targeted to a specific user and require some careful guesswork.

Through a spokesperson, Microsoft says Hotmail engineers have identified the problem and are working to fix the hole. They hope to fix the flaw by the end of the day, she says.

There are two steps in the hack: First, hackers must find out the account name (e-mail address) of the Hotmail user; second, they must find out the exact time the message they want to read was sent.

The second step, however, is what makes this exploit difficult. Messages are time-stamped in what appears to be Unix time, or the number of seconds since January 1, 1970, according to Ryan Russell, an analyst at SecurityFocus.com, a business security Web site in San Mateo, California.

"It may help predict what these numbers are. It remains to be seen," he says. If a hacker knows approximately when a message was received, he can set up a program to calculate the seconds and run through messages in a given time frame to find an e-mail.

The published exploit suggests such a solution. "Now [if] typing those message numbers manually is too much work, you could create a small utility to automatically scan [a] given range of messages from specific user name. (You need to build it to work with IE, as you must be logged in Hotmail when you want to view messages...)"

Much of the necessary information, however, appears to be missing from the published exploit, Russell says.

"It doesn't explain exactly how to guess the number of the message," Russell says, and at the Root Core Web site, "there has been little discussion on how hard it is."

The immediate concern for Hotmail users isn't grave, he says, since this is a targeted attack. Unlike other exploits, only one user at a time can be affected from a single hacker. He adds that Microsoft tends to fix these kinds of holes soon after they're publicized.

However, this exploit points out "the whole ASP model vulnerability," Russell says. "The good news is Microsoft can fix it in one fell swoop."

It is also difficult for security analysts to test the exploit, he says, because Microsoft could come after them for breaking into other e-mail accounts. "If they really want to know," he says, "They're going to have to put their neck on the line."