Hacker News new | comments | show | ask | jobs | submitlogin
Hackers could read non-corporate Outlook.com, Hotmail for six months (arstechnica.com)
213 points by pseudolus 8 days ago | hide | past | web | 55 comments | favorite





Storytime!

When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email and could view/edit PII for anyone with very little (if not zero) accounting or auditing. It was protected by plaintext auth and open to the internet.

One employee told me that he caught his wife cheating by reading her mail.

Another used it to recover their own stolen EQ account worth thousands.

I personally used this access to help a friend recover a hacked/stolen Hotmail account. I told them the email address, what had happened to it, and they forwarded me a screenshot of their Passport.NET PII details for them to use the self-service password reset.

Obviously not much has changed.


Just prior to your mentioned timeline Hotmail was vulnerable via query string params. A rather non-technical friend of mine brought this up in conversation and I didn't believe him, so he told me to log in to my account. He took a quick look at the URL and wrote down a param, then logged into my account on his machine. IIRC it was patched about month later but still, those early days of the web were pretty wild.

In 2002-2003 you could access anyone else's Hotmail account by going to your own Settings page, adding an input field with the ID "SignInName", entering the email address you want to switch to, and clicking Save.

Imagine how security and oversight is at the typical startup company with millions of users today? Probably not much different.

Do you think things like this happen regularly nowadays? Most companies have logging in place but I'd assume there isn't resources to audit those logs unless a compelled by an outside complaint...

I've worked at some rather large companies with insanely relaxed security and auditing standards. I think it's even worse now than before because cloud providers make setting up a database cheap and simple. So today an individual or small team can throw together a production-scale MongoDB in a few hours and start filling it with potentially PII; whereas 10 years ago, something like that stood a good chance of having at least one external DBA/IT-person consulted before going into prod.

My line of thinking is to assume auditing and access controls are lax unless the data in question is part of the company's secret sauce, or is regulated by the government.


PII is personally identifiable info?

What's an EQ account?


EverQuest, I assume, which was a popular MMORPG prior to World of Warcraft

Yup.

I'm guessing EverQuest, which was pretty popular at that time.

Probably EverQuest

I remember knowing people on IRC who "had friends at Microsoft" who could do this kind of stuff to your MSN account, and I heard of people having their accounts stolen, but I never believed it. Guess there was some truth to it...

Let me get this straight: They were able to use a single helpdesk account password for six months to read arbitrary emails from arbitrary user accounts. There was no 2fa. There was no auditing. There was no integration with any sort of ticketing system ("you can only access an account if you're working on that specific user's ticket") or paperwork ("reason for access:"). There wasn't a single piece of automated monitoring to detect this account accessing accounts off-hours or accessing multiple accounts simultaneously. And this went on for six months. Did I misread something?

I've built systems which required "helpdesk" type access and had auditing, but the problem is where do think "audit summary report" is on the TODO pile for the people getting those summaries? I'm guessing it's between "Delete unread" and "I really ought to get around to it but I'm too busy so I never do".

Even when it comes to third party audit, those are ring binder driven processes. Does the audit report get generated? Yes, check. Does the person it goes to have a requirement to check it? Yes, check. Done, pass. Auditors _might_ ask to see an example report, but they definitely aren't going to add bogus entries to see what happens for example.

Spot checks aren't a thing in almost any industry. "Chaos Monkey" style checks aren't a thing anywhere at all. So it's easily possible that for six months (or three months) Microsoft was generating internal reports that said "Bob the Helpdesk worker has accessed ten times more user emails today than anybody else" and nobody was asking "Wait, why is Bob an outlier?".

With a targeted attack like this one, your suggestion about requiring a ticket doesn't help very much, the attacker is motivated to jump through hoops unlike script kiddies looking for low-hanging fruit. Insider fraud at banks has been known to go as far as a fake "customer" phoning up to authorize the steps that the bad guys want to take, so that there's an authorization on record when they do them and it won't immediately be flagged as a problem. The real customer may later convince a court that it wasn't them, but that's not real time, the insiders are long gone and so is the money.

Now, you can build systems where it's just impossible for even your own people to get access. But that has a high cost, as you will see in every thread where people castigate Google because they got locked out of something. Why can't Google just hire helpdesk people who have super-user access, they ask...


Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses. They handle a ton of email for a lot of people, people depend on them, and they are a big target.

If this was a specially privileged superuser account, it should have had more attention paid to it. Yes, it's hard to scale audits or monitoring to the entire customer support org. But if you only have three people that can actually read people's emails, you can certainly audit just their use.

If it's not a specially privileged superuser, then every random helpdesk account can read everything from everyone. This does not inspire confidence.

And even skipping all the complex systems that should have been in place for a system the size of Hotmail: Why did this account not have 2FA? This is basic stuff.


> Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses.

It's consumer Hotmail. From Microsoft’s perspective, that is probably excuse enough.

Of course, I've seen pretty bad things in large HIPAA covered entities with systems with PHI; insufficient security and accountability of support accounts and recovery processes is found lots of places.


Arcbyte@cousinrickeyshouseofemail.com has a nice ring to it

> I've built systems which required "helpdesk" type access and had auditing, but the problem is where do think "audit summary report" is on the TODO pile for the people getting those summaries? I'm guessing it's between "Delete unread" and "I really ought to get around to it but I'm too busy so I never do".

Auditing isn't a system feature, it's a business process feature. A system can have logging and even detection of situations requiring auditing, but if no one is systematically reviewing—auditing—the results, it doesn't have auditing.


This is an excellent point, thank you for putting it that way. I can't correct my post now, but this point is something I will definitely emphasise in any future system where I'm told audit is a requirement but I doubt that my technical work will actually deliver the effect intended because the "business process" part won't get done.

I wonder how fastmail is in this regard. Makes me want to reopen my protonmail account honestly

They definitely have access to at least some things. Not sure how it's audited or managed, etc on the backend. I had a problem with something, and what they said seemed to indicate the person I messaged looked at my stored information.

I do like that they have customer service though.


>Now, you can build systems where it's just impossible for even your own people to get access. But that has a high cost, as you will see in every thread where people castigate Google because they got locked out of something. Why can't Google just hire helpdesk people who have super-user access, they ask...

I don't see how allowing helpdesk operators to help users recover access to their accounts has any relation at all to the helpdesk operators having access to the account itself. They need to be able to access and update account metadata, not the account itself.


> I don't see how allowing helpdesk operators to help users recover access to their accounts has any relation at all to the helpdesk operators having access to the account itself. They need to be able to access and update account metadata, not the account itself.

So in your system the bad guy can't read my email because he only has the ability to access and update account metadata such as my password and the helpdesk system doesn't give him access to the actual email?

That would work, unless any of the bad guys is smarter than you and realises that they can use this metadata to... log into my account and read my email.


>That would work, unless any of the bad guys is smarter than you and realises that they can use this metadata to... log into my account and read my email.

No need to be so rude and disrespectful.

Obviously there needs to be a password reset mechanism. That mechanism can absolutely be designed in a way that does not involve the helpdesk operator having access to the password or the account.


People get locked out of their accounts because in addition to losing their password, they don't have access to the recovery email/phone/whatever which they already set (or never set one at all). If the helpdesk operator has the ability to change or otherwise set a destination for a recovery email/token/pin/secret to be sent then they have the ability to set their own account/device as the trusted reset device/account. There really isn't a way that normal people can use that would allow a helpdesk operator to give them back access to their account without also allowing the helpdesk operator to gain access to the account themselves if they so choose.

If the password is stored in plaintext or can be changed by an admin(in a method other than a reset where the user still sets the new password), we've got other problems.

You understood it correctly.

There are a great many failures of process here.


Microsoft claims it was just 3 months. Otherwise, on point.

90 days is a pretty typical rotation period for credentials. They probably noticed this when they rotated the password and the account got locked from wrong password attempts in short order.

Not surprised at all. This is the way enterprise systems are.

It's a little depressing to go to work and try to deal with the atrocious stuff I have to deal with, and then think how much of my life is online at companies probably just as bad as my own.


Surely gmail doesn't have something this terrible, right?

There's a blog post titled Into The Borg[0] that states:

> There is also a user “legal-discovery@prod.google.com” that has permission “auth.impersonation.impersonateNormalUser”

So it exists, but hopefully Google doesn't have the same issues with giving helpdesk employees access to impersonation.

0: https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-...


>And this went on for six months

By "this" you mean "Someone had access to that particular help desk account", not the whole system ?


Sounds like Microsoft...

This is totally insane. I'm totally baffled by the idea that Microsoft considers it okay for anyone except the owner to have any level of access to personal email accounts.

Having the 'owner' of the e-mail address have the only access is a better extreme than having everyone have access, but I don't think that's feasible. People within Microsoft will always have the ability to access e-mail accounts, the question is if they are the right people and how big that group of people should ever be.

If you are talking about secure e-mail cryptography philosophy along the lines of PGP, ProtonMail, et cetera, sure you can achieve that through those means. Otherwise it's a pipe dream with a product like Outlook that's built for businesses and having AD style control.


Of course there has to be a way to access email- how would they troubleshoot or fulfill legal investigations?

The problem is that an attacker can follow the "legitimate" path - and such attacks should be audited and detected, which is what obviously failed here.

Makes you wonder how vulnerable less mature services are...


I'm imagining a future cottage industry with companies holding offices in India/Russia/China/<elsewhere> with a full staff reading emails for blackmail material

(naturally finding a politician or celebrity once in a while)


"Future."

This further justifies my decision to use an email provider like Protonmail where only I can decrypt my emails' contents.

Interesting to understand the reason for the attack, it's to recover iCloud passwords so they adversaries can sell stolen iPhones! Wow!

Why would a customer support person need access to people's email without even seeking the customer's password ?

Support people should never require customer's password, and they should have to get explicit permission to access their account.

For example, they can get access to basic information and option to reset password, if user forgets the password. For anything else, they should get explicit permission (or it can be granted automatically when user opens a support ticket when he/she is logged in, if that's properly specified when creating a ticket).


Maybe to help them recover their password ?

Read my emails to recover my password? That‘s what „forgot your password“ link is for!

I am sure glad I switched to ProtonMail.

Not sure why you were downvoted.

Protonmail stores all your emails encrypted, with the encryption dependent on your password, so something like this couldn't happen there.


Seems like if ProtonMail can encrypt them automatically, then they can potentially be decrypted by someone at ProtonMail.

Reasoning:

Are emails automatically encrypted with a hash of the user password when they are received?

If the user forgets the password, how do password resets work?

Are the emails before the password reset "lost", or does ProtonMail keep a copy of the hashed password (which I suppose would be needed to log in with in the first place) to unencrypt the older emails, and re-encrypt with the newer password?


They are not encrypted using the user's password. They are encrypted using a standard PGP public key.

Yes, you lose your old emails if you reset password on ProtonMail.

Really? are there any docs I can read related to this?

It certainly is something that users should probably be aware of. At least I would...



If they really use your password to encrypt, they can also decrypt your emails. I doubt they would advertise this as encryption... I'm not sure what they do technically, but using the password doesnt sound like a good mechanism.

This is totally not something that NSA uses by the way.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: