Thanks Hatter for this. MSN Hotmail users, guard your cookies. A simple technique for accessing Microsofts free e-mail service without a password is in the wild and apparently being exploited.
The trick involves capturing a copy of the victims browser cookies file. Once the perpetrator gains two key Hotmail cookies, theres no way to lock him out because at Hotmail, cookies trump even passwords.
"Whats scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in," said Eric Glover, a New Jersey-based programmer who has a doctorate in computer science from the University of Michigan.
Glover said he unearthed the Hotmail cookie problem when a friends former boss started accessing the friends Hotmail account -- and continued to use the account even after the pal repeatedly changed her password.
After studying Hotmails sign-on process, Glover concluded that the snoopy manager likely had grabbed a copy of the Hotmail cookies from the friends work computer or a back-up tape and had been using them to digitally unlock her Web mail account.
Microsoft officials said Thursday that the Hotmail service offers users several tools to limit what the company terms "cookie-based replay attacks" but added that Microsoft is "always looking at ways to protect users further, as well as giving them more control over their online experience."
News source: Wired News - Hotmail at Risk to Cookie Thieves