Categories
Internet Technology Thoughts

Wide-spread exploitation of security hole in Windows Live Mail

Yesterday, April 5th 2009 at approximately 4:30pm (BST), several messages were sent from my HoTMaiL account to every single one of my MSN contacts. Luckily, this account is long-dormant – but unfortunately, Windows Live operates a shared list of contacts between Mail and Messenger (which I do still use, for my sins).

The message test was:

Great shopping for you!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!

The URL that followed was from the following domain:

Domain Name: DTPLAZA.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS1.DNS.COM.CN
Name Server: NS2.DNS.COM.CN
Status: clientTransferProhibited
Updated Date: 28-mar-2009
Creation Date: 28-mar-2009
Expiration Date: 28-mar-2010

… which was only registered 8 days prior to this email being sent. It appears that many other people have been having similar issues for days, though:

5 people having been hit since 9th March;
3 people having been hit since 26th March;
24th February (same message with a different URL);
26th March (same message with a different URL).

Other occurences in mailing-lists are here and here.

Worryingly, here is a spam blog post… did this user have the ability to create posts via email turned on, or is even more of the Live infrastructure compromised?

I believe that this must be a vulnerability within the Windows Live infrastructure: My mail account was unused, me having not logged in to it for months. I do use MSN Messenger and did start Windows 7 over the weekend which caused Live Mesh to update – both of which use the same login data. The password on the account was strong and not dictionary-based, and I haven’t used any public terminals or unsecure Wifi connections recently – and probably not for Microsoft services for several years.

I can therefore only see three possibilities for the cause of this:

Some organisation has the capability to crack Windows Live passwords en-mass
This is the most unlikely scenario, as the time needed to crack even a small number of weak dictionary-based passwords is enormous. Additionally, you’d hope that there would be rate-limiting mechanisms on login infrastructure to prevent an attacker spamming possible passwords at the maximum rate the network allows. Hopefully this rate-limiting isn’t source IP address based, as in today’s world of pervasive botnets, each individual machine need only send a small number of requests to cover large chunks of password dictionaries. I have checked such dictionaries for my password, though, and it isn’t listed.
MSN Messenger has a login vulnerability
If Messenger were vulnerable to a man-in-the-middle or replay attack, then an attacker would already have the login name (the user ID) and could potentially gain the account password. This would be a major hole in such a widely-used service, and would explain how my particular low-usage account could have been compromised. This option is troubling as it would give full access to all account data to an attacker. They could also change secret questions and follow linked accounts, probably trying the same password against these accounts. If this is the case, then the only solution until such a vulnerability is confirmed by Microsoft and fixed is to stop using the MSN Messenger protocol (as my work usage of MSN, the only significant use of this login information, is through the open-source Pidgin application).
The Windows Live infrastructure has a vulnerability
This is probably the most disturbing option, given the number of different ways in which Microsoft have tried to push what were originally HoTMaiL email account names as a form of universal ID. The silver lining is that the security model may not be blown-open, and it may only be facets which can be accessed by an attacker. For example, an attacker may be able to view the contacts list and send email, but may be unable to view other details or change passwords. This view would be supported by the fact that none of the people reporting having had spam send from their accounts has been locked-out of Live Mail… surely, if you’d expended a lot of time or effort to crack a service that you then had full control over (as any of the above options would imply) then the first thing you’d do is change the password to lock-out the owner whilst they work out how to get these details reset. Given that anyone inadvertently sending spam will likely find out this situation from contacts fairly quickly, this doesn’t seem to disclose any additional information. At the same time, many users may be unsure as to what they are able to do to resolve the situation, and so the attack may simply rely on affected people doing nothing, whereas an account lock-out prompts action.

My hunch is that the situation is described by the third option above: Other than Messenger, I make no use of other Windows Live services and haven’t for months – this suggests an attack against the Live infrastructure directly. The only question is then of what level of access an attacker gains: can they read the existing password? If not, then there will be a lot of spam going around until Microsoft fix the problem. If so, then all Microsoft IDs and all data associated with them are compromised, and these accounts should be closed immediately.

What needs to happen is for Microsoft to go public about this problem, how wide-spread it is, what information is compromised, and what they are doing about it. Until then, all Microsoft services should be approached with utmost caution.

20 replies on “Wide-spread exploitation of security hole in Windows Live Mail”

Hi Stuart

Microsoft are backing down and are entertaining my request for the moment. I received an eleventh hour telephone call from a UK escalation specialist from the response management team, they have asked for a little more time and I have given them an initial 48hrs in agreement with the ICO in which they must give a realistic time for the delivery of information. So let’s see what happens next.

Later

Mark

Hi Stuart,

Just had a conversation with the UK specialist, their legal department has the matter in hand but has failed to respond. They have been given until the end of today to respond with a time period or issue a notice for the decline of request. If they do not respond with a time period or decline the request, the pursuance of the complaint will be made on Monday’s start of business. I have a contingency plan running along side, but those details will be held back for the time being as it is always best to keep a few cards up your sleeve.

Regards

Mark

Hi Stuart

Microsoft UK legal has not responded, I am proceeding with the complaint with the ICO, what they will now realise is that I don’t bluff and will sink my teeth in and won’t let go. I have given Microsoft UK 40 days to supply every bit of information they hold on me under the data protection act on top of my original hotmail request.

Regards

Mark

Hi Stuart

If anyone has been a victim of their hotmail account being compromised, make the complaint initially through the website and as soon as you get a response send the following message in reply and most important of all include the following email address. csfeed@microsoft.com (contact from hotmail support), I (your name) request that you disclose the following information relating to myself under the data protection act 1998 and under the act you have 40 calendar days in which to comply. If you require any further verification of my identity I will do so by post to the UK offices only, however it does not give reason for not compiling the information requested.

Sincerely

If they come back with the ECPA tell them it does not apply as you are a UK resident and that request is discriminatory further more you will not extend the deadline and give the date.

Reagrds

Mark

Good News everyone

I have spoken to Microsoft once more and they are compiling my data. They want to continue discussions regarding procedures for complaints handling for UK Hotmail customers and realise there is a gap in customer service procedures in this respect and dealing with data protection requests. Proof is in the pudding, we shall wait and see

Regards

Mark

Phishing attack targets Hotmail [BBC News]

Hmm… “phishing attack”, eh?

More here – although I suspect the latter really is from phishing.

There’s a problem here – publishing the list (account names only, obviously) allows affected users to discover that they’re compromised, but also gives a list of valid accounts to ne’er-do-wells. Immediately taking the list down, though, doesn’t allow people to check whether they’re affected – and I’ll bet that most people won’t bother to change their passwords if there’s not a proven need.

Perhaps what’s needed is a two-password system and allowed IP list. If you’re connecting from a previously-allowed IP address, then either cookies are used to automatically log in or the primary password is accepted. However, if the connecting IP address isn’t pre-vetted (or even is outside of the home county/state/country/continent using geo-IP services) then auto-login with cookies is disallowed, and the secondary password has to be entered after the primary password is authenticated. Users could even have the option to disallow connections from non-vetted IP addresses until confirmed with a second factor… perhaps SMS confirmation, a smart-card, or a RSA-type token.

So long as the service doesn’t already leak like a sieve (and yes, I’m looking at Microsoft here) then this dual-authorisation system should give significant additional protection.

Just think of the economies of scale possible with a user-base the size of Microsoft’s or Google’s – either could offer a subsidised token to customers for little or no cost. There’s lots of issues around logistics and handling lost/replacement hardware – but, especially for Google with its Checkout service, the ability to roll out two-factor authentication universally would have to be a huge advantage over competitors such as Paypal.

I’m a tech consultant (architect/dev/analyst), and I’m fairly certain I’d have spotted phishing in an instant. I haven’t had any instances of malware/spyware/virus/worm in over five years now. I rarely use my hotmail account. I might log onto it once every few months and only because it’s linked to an account or two I occasionally use. I don’t use MSN Messenger. Last time I checked it, I found that a friend emailed me asking if I was advertising electronics. I checked my sent items and, sure enough, there were spam messages to my contacts and then some. I didn’t think to check my autoreply until I read a Slashdot article. It started not that long ago.

I think you’re right. They didn’t get it through a keylogger or phishing scam. My password is not dictionary-based and I used numbers and mixed case. That tells me they have a rather sneaky method, whatever it is. I’m inclined to think it’s within Windows Live.

That it’s still occurring tells me just how much Microsoft cares about it.

Leave a Reply to Mark DoyleCancel reply

Exit mobile version