Hotmail Exploit Silently Snooped & Microsoft Audio CAPTCHA Easily Defeated

Bad news for Microsoft again as security researchers prove two very different fails - Hotmail exploited to silently "steal" email and Microsoft audio CAPTCHAs defeated. The audio CAPTCHAs were also easily broken for Digg, Yahoo, eBay, and Authorize.

More bad news for Microsoft in the form of security researchers proving two very different fails - audio CAPTCHAs defeated and Hotmail exploited to silently "steal" email.

The first fail is not leveled solely against Microsoft, but Stanford University researchers found a way to break popular audio CAPTCHA technology used by Microsoft's, Yahoo,, eBay, and Digg. In "The Failure of Noise-Based Non-Continuous Audio Captchas" [PDF], the researchers built a program called Decaptcha that can listen to and decipher audio CAPTCHAs. The study called most CAPTCHA methods "inherently insecure." By using Decaptcha, the "per-captcha precision of Decaptcha is 89% for Authorize, 41% for Digg, 82% for eBay, 48.9% for Microsoft, 45.45% for Yahoo and, 1.5% for Recaptcha. We improve our previous work's result on eBay from 75% up to 82%." They concluded that Decaptcha's accuracy for commercially available audio CAPTCHAs rivals crowd-sourced attacks. To exploit the vulnerability with Decaptcha's system would require no specialized knowledge or hardware. "Its simple two-phase design makes it fast and easy to train on a desktop computer."

Although the researchers generated 4.2 million audio CAPTCHAs, which are offered as a choice for visually impaired users, not all technologies measured the same vulnerabilities. Google's reCAPTCHA which is used on sites like Facebook, Youtube, Twitter, 4chan, StumbleUpon and Ticketmaster, is not wide open to attack because the audio CAPTCHA scheme has semantic noise built into it - added noise like conversations in the background.

This is not the first proven flaw, or real-world attack against CAPTCHAs. Last year, Webroot showed how a Pushu variant Trojan was bypassing Microsoft's Hotmail and Live CAPTCHAs to spam users. Now there's more bad news for Hotmail users. For at least two or three weeks, a Hotmail exploit made it possible to trigger an attack to silently snoop on targeted victims' emails and contacts as well as add email forwarding rules to users' accounts.

According to Trend Micro, the attack could be carried out by simply opening or previewing a maliciously crafted email. It required no clicking on a link; instead if the tainted email was opened, embedded commands would upload a victim's contacts and emails to servers that attackers controlled. It also enabled email forwarding on the targeted Hotmail accounts, so that attackers could continue to "steal" correspondence and snoop on any of the victim's emails in the future. The vulnerability took "advantage of a script or a CSS filtering mechanism bug in Hotmail" and therefore automatically executed, downloading a script from a remote URL.

Trend Micro said Microsoft has patched the Hotmail bug, but it was being used for in-the-wild attacks. They discovered it after a colleague in Taiwan opened an email which was supposedly a security warning from Facebook. After first discovering the Hotmail bug, Trend Micro wrote, "The email message seems to have been specially crafted per recipient, as it uses each user's Hotmail ID in the malicious script that it embeds." They also pointed out an "often ignored" danger to businesses who allow employees to check their personal email accounts at work. If an employee was targeted and victimized, it "gives the attacker access to sensitive information that may be related to their company, including contacts and confidential messages."

At the time of posting, Microsoft had not replied about how many Hotmail users may have been compromised or if targeted Hotmail accounts, or any Hotmail users, have been notified.

Update: Microsoft Senior Response Communication Manager Bryan Nairn replied, “On Friday May 20, we updated our Windows Live Hotmail service to address a targeted security issue that could allow information disclosure if a customer was affected. No action was required for customers, as they were automatically protected by the update.”

Like this? Here's more posts:

  • State Police can suck data out of cell phones in under two minutes
  • TinKode Hacked NASA's Goddard Space Flight Center
  • Gov't: We want stored emails, phone locations. New bill: Get a warrant!
  • Thanks to ID thieves, your child may have more debt than you
  • Having private parts is not probable cause for TSA to grope or body scan you
  • FBI: Surveillance "going dark" or obsessed with porn and doing a poor job?
  • Ridiculous DHS list: You might be a domestic terrorist if...
  • Former FBI Agent Turned ACLU Attorney: Feds Routinely Spy on Citizens
  • Patching Windows is a major time sink for IT departments

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)