Bugtraq mailing list archives
Re: Messenger/Hotmail passwords at risk
From: "Jeffrey W. Baker" <jwbaker () acm org>
Date: Mon, 9 Jul 2001 12:32:54 -0700 (PDT)
On Fri, 6 Jul 2001, gregory duchemin wrote:
hi bugtraqers, Background ========== i sent the following advisory to Microsoft there is about 1 month of that, and since i did not get any reply. The problem described below is still working on the latest MSN client version currently available. A bug in the Hotmail Messenger cryptographic system may allow the recovery of millions of hotmail mailboxes's password.
Uh huh. So you are saying that, given MD5(password), password may be recovered by brute force. And this is new/interesting in what way? You can brute force ANY_FUNCTION(password) in exactly the same way. The password is a secret key, and its length is important.
say user toto has a password "titan" then his client generate the string "yyyyyyyyy.yyyyyyyyytitan" and the according MD5 hash, say xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. the client send MD5(yyyyyyyyy.yyyyyyyyytitan) on the wire. Problem ======= by sniffing the wire, a malicious user can obviously retrieve the scrambler string and the final hash. then he can start a bruteforce session trying all password combinaisons with the same scrambler prepended and comparing the resulting hash with this he previously sniffed. (an exhaustive attack)
Wow if you are worried about that I suggest you have a good long look at the SMB protocol! -jwb
Current thread:
- Messenger/Hotmail passwords at risk gregory duchemin (Jul 09)
- Re: Messenger/Hotmail passwords at risk aleph1 (Jul 09)
- Re: Messenger/Hotmail passwords at risk Peter van Dijk (Jul 09)
- Re: Messenger/Hotmail passwords at risk Jeffrey W. Baker (Jul 09)
- Re: Messenger/Hotmail passwords at risk Pavel Kankovsky (Jul 10)
- Re: Messenger/Hotmail passwords at risk Gaurav Agarwal (Jul 15)
- Re: Messenger/Hotmail passwords at risk Martin Macok (Jul 16)
- Re: Messenger/Hotmail passwords at risk Pavel Kankovsky (Jul 10)
- <Possible follow-ups>
- Re: Messenger/Hotmail passwords at risk Ishikawa (Jul 15)
- Re: Messenger/Hotmail passwords at risk gregory duchemin (Jul 16)
- RE: Messenger/Hotmail passwords at risk Michael Wojcik (Jul 16)
- Re: Messenger/Hotmail passwords at risk Mark (Jul 16)