I’m a great fan of Miranda, a really nice multi protocol instant messenger. It supports msn, icq, aim, irc and many others. I like it mainly because “Only the most basic features are built in“. I daily use it for talking with my friends on msn and icq and I have never had a single problem with the software.
Just some days ago I discovered a msn feature I’ve never seen before: “Display Hotmail inbox”. It lets you go to your mailbox directly without entering your username and password. Cool but… can someone access my mailbox? I started to investigate a little trying to answer the question. The answer is: yes, it’s sometimes possible to gain Hotmail user’s password!
To view Hotmail inbox, Miranda passes a parameter to your preferred browser. To discover the string you only have to look inside your browser url box. The parameter is something like (the string was split in few lines but it’s a single long string):
This is the string used to access the mailbox. Think about this scenario: you are working with your pc and in the meanwhile someone (call him Bob) is running a malware on your machine. You decide to read your (Hotmail) mail using miranda’s msn feature. The malware catches the parameter sending it to Bob’s computer. You are reading your mail and Bob? Bob is reading your mail too…
Another simple example: look inside Firefox’s history tab, the parameter is located somewhere in the list and it’s available for everyone. In a public computer everyone can read the parameter.
It’s not hard to get the string, there are some ways for easily catching the parameter. I decided to drop a question inside Miranda’s developer forum, just to know what they think about this behaviour. They gently reply to me, but they are not thinking to change the option. This is what they told me: “this parameter will change the next time you login. I might change it but there were no plans so far.” Yes, next time it will change but not now, and one could be enough.
The string is composed by some fields, the ‘&’ is used to separate the fields; you’ll surely be able to find informations about this kind of string on the net. At the moment I’m interested in some fields only:
Three parts only:
username: contains the user’s mail address
auth: a very long string composed by two parts: a fixed part and a variable part. The variable part is represented by the last 4 bytes of auth string (“_RCE” in the example above). These 4 bytes are not always the same because they depend on the system time.
creds: obtained applying MD5 algorithm to the string formed from auth and password, where password is the user’s hotmail password.
Now you should understand why they told me “this parameter will change the next time you login”. The current session remains available for few minutes; I don’t know exactly, I think from 5 to 10 minutes. Ok, but the question is: “am I able to retrieve a password working a little on these 3 parameters”?
Theoretically, yes, but in practice could be not easy because you have to deal with MD5 hash. The scheme is simple:
MD5(auth+password) = creds
I don’t know any clever approach for the problem so I tried writing a program able to find password using the most stupid approach. You can imagine what kind of approach I’m talking about.
I did a test with 7 friends of mine sending them the program I wrote. 5 of them told me the program was able to find the password in few minutes. I would say it’s a nice result, but it leads me to believe:
1. the approach works
2. they are using short password
It’s all in point number 2, how secure is your password?
Some months ago I read an interesting article about the passwords used by people (too bad I don’t remember the link). There was a nice diagram showing that the large variety of people use short password (from 4 to 7 bytes) without simbols, numbers and capital letters. I bet almost all my friends are using simple password…
I would encourage everyone to use a *strong* password. There are many places around internet explaining how to build a secure password. You can try looking at this one, it’s a password checker from Microsoft and it has a link to a tutorial titled “Strong passwords: how to create and use them”. Try to follow some simple rules instead of using things like:
– your boyfriend/girlfriend/wife/husband name
– your dog name
– your birthday number
and so on… This is a general rule applicable not only to Hotmail and this specific case.
Ok, I’m at the end of this sort of proof of concept. I don’t know if they (Miranda’s developers) have to change something in ‘Display Hotmail inbox’ implementation, maybe it’s only paranoia… I’m curious to see how other IM programs manage this feature, do they have the same problem?
I’ll continue to use Miranda btw, it’s a really nice program!