Hotmail Cracked Badly

Allright, this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically, there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid, and if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)

According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD.

Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

Using InterMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:

http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=ENTERLOGINHERE&passwd=eh

Simply, replace ENTERLOGINHERE with the account you are cracking.

This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport.

Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they messed it up.