Apr 6 2009
Wide-spread exploitation of security hole in Windows Live Mail
Yesterday, April 5th 2009 at approximately 4:30pm (BST), several messages were sent from my HoTMaiL account to every single one of my MSN contacts. Luckily, this account is long-dormant – but unfortunately, Windows Live operates a shared list of contacts between Mail and Messenger (which I do still use, for my sins).
The message test was:
Great shopping for you!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!
The URL that followed was from the following domain:
Domain Name: DTPLAZA.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS1.DNS.COM.CN
Name Server: NS2.DNS.COM.CN
Status: clientTransferProhibited
Updated Date: 28-mar-2009
Creation Date: 28-mar-2009
Expiration Date: 28-mar-2010
… which was only registered 8 days prior to this email being sent. It appears that many other people have been having similar issues for days, though:
5 people having been hit since 9th March;
3 people having been hit since 26th March;
24th February (same message with a different URL);
26th March (same message with a different URL).
Other occurences in mailing-lists are here and here.
Worryingly, here is a spam blog post… did this user have the ability to create posts via email turned on, or is even more of the Live infrastructure compromised?
I believe that this must be a vulnerability within the Windows Live infrastructure: My mail account was unused, me having not logged in to it for months. I do use MSN Messenger and did start Windows 7 over the weekend which caused Live Mesh to update – both of which use the same login data. The password on the account was strong and not dictionary-based, and I haven’t used any public terminals or unsecure Wifi connections recently – and probably not for Microsoft services for several years.
I can therefore only see three possibilities for the cause of this:
- Some organisation has the capability to crack Windows Live passwords en-mass
- This is the most unlikely scenario, as the time needed to crack even a small number of weak dictionary-based passwords is enormous. Additionally, you’d hope that there would be rate-limiting mechanisms on login infrastructure to prevent an attacker spamming possible passwords at the maximum rate the network allows. Hopefully this rate-limiting isn’t source IP address based, as in today’s world of pervasive botnets, each individual machine need only send a small number of requests to cover large chunks of password dictionaries. I have checked such dictionaries for my password, though, and it isn’t listed.
- MSN Messenger has a login vulnerability
- If Messenger were vulnerable to a man-in-the-middle or replay attack, then an attacker would already have the login name (the user ID) and could potentially gain the account password. This would be a major hole in such a widely-used service, and would explain how my particular low-usage account could have been compromised. This option is troubling as it would give full access to all account data to an attacker. They could also change secret questions and follow linked accounts, probably trying the same password against these accounts. If this is the case, then the only solution until such a vulnerability is confirmed by Microsoft and fixed is to stop using the MSN Messenger protocol (as my work usage of MSN, the only significant use of this login information, is through the open-source Pidgin application).
- The Windows Live infrastructure has a vulnerability
- This is probably the most disturbing option, given the number of different ways in which Microsoft have tried to push what were originally HoTMaiL email account names as a form of universal ID. The silver lining is that the security model may not be blown-open, and it may only be facets which can be accessed by an attacker. For example, an attacker may be able to view the contacts list and send email, but may be unable to view other details or change passwords. This view would be supported by the fact that none of the people reporting having had spam send from their accounts has been locked-out of Live Mail… surely, if you’d expended a lot of time or effort to crack a service that you then had full control over (as any of the above options would imply) then the first thing you’d do is change the password to lock-out the owner whilst they work out how to get these details reset. Given that anyone inadvertently sending spam will likely find out this situation from contacts fairly quickly, this doesn’t seem to disclose any additional information. At the same time, many users may be unsure as to what they are able to do to resolve the situation, and so the attack may simply rely on affected people doing nothing, whereas an account lock-out prompts action.
My hunch is that the situation is described by the third option above: Other than Messenger, I make no use of other Windows Live services and haven’t for months – this suggests an attack against the Live infrastructure directly. The only question is then of what level of access an attacker gains: can they read the existing password? If not, then there will be a lot of spam going around until Microsoft fix the problem. If so, then all Microsoft IDs and all data associated with them are compromised, and these accounts should be closed immediately.
What needs to happen is for Microsoft to go public about this problem, how wide-spread it is, what information is compromised, and what they are doing about it. Until then, all Microsoft services should be approached with utmost caution.
Stuart
7th April 2009 @ 7:54 am
Unfortunately, it looks as if this is the most I’m going to get in terms of resolution:
Patrick
8th April 2009 @ 4:45 pm
this same thing happened to me! any idea on how to fix it???
Stuart
8th April 2009 @ 10:49 pm
Microsoft seem to be intent on making no form of admission that there’s any sort of problem – and if they don’t tell people how the problem has occurred, there’s no way for anyone to protect against it.
All I can suggest is to migrate to a different email and IM provider… not necessarily immensely practical, but with Microsoft unresponsive it’s the only way to be safe.
Susan
11th April 2009 @ 5:09 am
This also happened to me 3 days ago. I still use my hotmail account twice a week or so, but don’t use messenger or IM.
Thanks for your info/blog on this.
Stuart
11th April 2009 @ 10:16 am
Interesting… that would seem to rule out the second option above. And for my part, I only use Messenger.
Since cracking this number of passwords around the same time seems highly improbable, this would strongly suggest that there is some vulnerability in the Windows Live infrastructure which either allows access to accounts bypassing the login mechanism, or allows access to account passwords.
The most worrying aspect is whether the attacker can then view all account information, passwords, mail, etc. – or whether they’re limited to address-book access and sending messages only?
Susan
19th May 2009 @ 7:53 am
It’s happened again. A poorly phrased sales pitch for electronic goods from a complete cretin has been sent on my behalf to all my hotmail contacts. I have advised Hotmail, but feel concerned about the regularity of this issue. Have you encountered anything similar since?
Stuart
19th May 2009 @ 8:56 am
Hi Susan,
I share your pain on this one – all attempts to get any sort of answer from the Windows Live support service has been met with silence of a stock reply.
Did you change your password when your account was compromised the first time? Did you choose a strong replacement?
If so, then the fact that the system has been compromised again so quickly would suggest to me that it isn’t that passwords are being cracked, but that there is some form of vulnerability whereby accounts can be accessed without a password, or whereby passwords can be discovered by a third-party.
Until Microsoft acknowledges the problem, there’s little can be done save for closing the Windows Live Mail account itself, and moving to a different provider.
Mark Doyle
29th June 2009 @ 12:03 am
Hi Stuart,
A bit of interesting news for you. The same thing happened to me and Microsoft are stonewalling the issue. Their terms and conditions come uner the TRUSTe European Safe Harbour agreement and they belong to the scheme. Microsoft also subscribe to the data protection act in the UK. I am a UK citizen and I am registered with Microsoft in the UK. Microsofts terms and conditions point out that they may share your information with other Microsoft subsiduries and affiliates outside your country. That means means that the information is accessable from any point in the world by any one of their subsiduries are the material has been passed through them through the network. Important issue, the laws in which the country you are registered apply and you should seek that route. Microsoft are discriminating against non US citizens and cannot be allowed to do so. I have made an official complaint with the ICO in the UK and TRUSTe stating that they are in breach of the privacy agreement and in my case UK law prevails over US law. The ECPA is a get out clause for something for covering their backsides and I am willing to take it all the way My account was accessed and all I wanted to know what was viewed and downloaded from the IP in China and how the account was accessed. Gues what, they asked me to sent an email with personal information on it.. There is a serious problem and the proverbial is about to hit the fan. I have a few more days toi go befoore the legal dealine runs out. Keep watching.
Oh and I had adaware, spybot and AVG running when it happened, no dodgdy sites, cookies or emails were received. Microsoft are running scared and want to make a federal case out of it.
Later
MD
Mark Doyle
29th June 2009 @ 12:34 am
P.S.
Pass this on to as many people as possible. Microsoft needs to learn that being an internation company means international laws apply, not just the US laws, laws in every country in which they or their agents operate. If you have a problem with data and microsoft, make the demand through the local office in your country of residence or citizenship, once this has been done, the laws of data pertaining to that country apply regadless of what Microsoft say. Good Luck
Mark Doyle
29th June 2009 @ 8:26 am
Hi Stuart
Got hit by trojan email this morning with a lik to a company in China. IP address was in Westfield New Jersey. Antivirus altered the problem in Live Mail but I could not delete it. Problem, I managed to delete it via the site, but no warnings or flags I forwared it to Microsoft for them to examine with all the source code but it freaked out Live Mail again when it synced. and I had to delete it from my on site sent box. I shall be monitoring my account once more and this looks like another vunerabilty incident that needs to be resolved
Later
MD