Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Hotmail Sends Your E-Mail Address to Sites via HTTP Referer

By MEconomy in News
Thu Jul 13, 2000 at 12:04:15 PM EST
Tags: Security (all tags)
Security

Netscape users of Hotmail will find their login id (aka email address) embedded in Hotmail's URL, which is conveniently sent to any sites you've clicked on (or seen images from) in your E-mail. Anyone could then associate your E-Mail address with your session, cookies, transactions, etc.
We've set up a test account on hotmail: user: showbug2me, pass: meconomy - open the appropriate E-Mail, and follow the instructions.
You can also see for yourself -- send the following URL to any hotmail account:

http://www.meconomy.com/cgi-bin/show_hotmail_bug
Open Netscape, go to your hotmail account, view the mail, and click on the link.

Anyone want to speculate why this only happens with Netscape browsers?


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o hotmail
o Also by MEconomy


Display: Sort:
Hotmail Sends Your E-Mail Address to Sites via HTTP Referer | 39 comments (16 topical, 23 editorial, 0 hidden)
HTTP referrer leaking information? (4.50 / 4) (#5)
by Inoshiro on Wed Jul 12, 2000 at 05:28:03 AM EST

Alright, I accept that. It's been know for a long time that not everyone uses proper sanitzation proxies (such as Junkbuster), so why is this news? You seem to hint that it doesn't happen if you use a certain non-Netscape browser. Do you have proof that this doesn't leak info with Internet Explorer? (Sorry, I don't have said product on any machines I own for philosophical reasons so I can't test it ;)).

And if this is true, why not report it to secure@microsoft.com? They are the appropriate people to contact about Microsoft related security problems. The fellow there can sometimes take a few mails back and forth before he sees the problem, but if you write out in detail a potential exploit, they'll listen -- and have something done about this. This is how I was able to get the "anyone can read an attachment known its name without being challenged for a login ID" problem fixed back in December.

So this isn't really the appropriate place to mention this, except that there are a lot more sites than just hotmail which fail to sanitize the data (as they should).



--
[ イノシロ ]
Re: HTTP referrer leaking information? (none / 0) (#22)
by MEconomy on Wed Jul 12, 2000 at 11:06:30 PM EST

Hotmail currently sends users of Internet Explorer 5.x to a different handler machine, and uses different URLs to display E-Mails. These URLs do not have the same embedded login name bug that happens when you use Netscape 4.x. I haven't tested any other browsers.

[ Parent ]
The solution to this, as to many other privacy pro (1.67 / 3) (#8)
by PresJPolk on Wed Jul 12, 2000 at 06:06:14 AM EST

The Internet Junkbuster.

This is a long known behavior of such services ... (none / 0) (#17)
by ejf on Wed Jul 12, 2000 at 08:09:37 PM EST

This is a pretty well known behavior of eMail sites. I donīt think itīs all that relevant, though. If I send you an eMail, I know I sent you an eMail. Associating site hits with you then is pretty easy (I could, for example, just associate a link with an eMail address, as in http://somewhere/?id=1231. Most users wonīt bother removing that id tag (it MIGHT be part of the URL, you never know, and voila : I can connect the session to an eMail.

The exact same thing is possible with web-bugs and inlined graphics. This is not only a problem of Web-Based eMail-Services, but also with clients that interpret HTML and load external sources (as in : Outlook, Netscape Messenger, Eudora, and many others).

Having the spelled-out eMail address in the referrer is not needed for a scheme like this to work. Any twisted mind can make up a thousand other ways to do the exact same thing :-)


--- men are reasoning, not reasonable animals.
Re: This is a long known behavior of such services (none / 0) (#18)
by dash2 on Wed Jul 12, 2000 at 09:23:58 PM EST

If I send you an eMail, I know I sent you an eMail. Associating site hits with you then is pretty easy

I guess the point is that in this case, sites don't even need to send you an email, they get your email for free without even having to try. It seems relevantly different and interesting to me.
------------------------
If I speak with the tongues of men and of angels, but have not love, I am become sounding brass, or a clanging cymbal.
[ Parent ]

Re: This is a long known behavior of such services (none / 0) (#29)
by ejf on Thu Jul 13, 2000 at 09:42:44 AM EST

Some action is still needed (though not neccessarily on the part of the site that wants your eMail address associated with a cookie or the like). Somebody has to send an eMail with the offending link ;-)

Just to base your eMail-gathering policy on an exploitable Hotmail flaw would seem silly, though. What about the majority of people who donīt use Hotmail ? If I wanted to gather that information, this approach would seem impractical to me (or at least inferior to web-bugs with encoded idīs as described in the original post --> greater chance of actually getting an address or two associated :)


--- men are reasoning, not reasonable animals.
[ Parent ]
Re: This is a long known behavior of such services (none / 0) (#20)
by MEconomy on Wed Jul 12, 2000 at 10:50:41 PM EST

You're 1/2 right. The BIG difference is that you don't have to send any E-Mail. If I send you an HTML E-mail with an embedded image (doubleclick ad, 1 pixel gif), your E-Mail address is automatically sent to DoubleClick. If there's an embedded link, and you click on the link, it's sent to the new site. This is fairly huge, and definitely not "long known behaviour of such services".

[ Parent ]
Re: This is a long known behavior of such services (none / 0) (#28)
by ejf on Thu Jul 13, 2000 at 09:35:17 AM EST

Well. I take it that if a site wanted to associate your eMail with a session, it would send you an eMail. I see your point that there is no action needed if the eMail was sent by a third party, but then again, the eMail would be pretty meaningless. Another spam message or two if you follow links to questionable sites (and if thereīs a DoubleClick 1x1 in there, I suspect the sender of the eMail to be malicious, anyhow).

Just to defend Hotmail a little, many Web-eMailers have had this problem for quite some time (and some recently fixed this -- see GMX).

Let it suffice to say that DoubleClick in all likeliness could associate your eMail with a cookie whether it be through this flaw or through a more advanced approach.

Oh, and would you mind quoting me verbatim if you quote ? (j/k ;-)


--- men are reasoning, not reasonable animals.
[ Parent ]
RESPONSE: Promotion / Spam / "Common Sense&qu (4.80 / 9) (#19)
by MEconomy on Wed Jul 12, 2000 at 10:45:01 PM EST

I'd first like to say that anyone who thinks this security flaw is "common sense" hasn't a clue about internet privacy. Sending your E-Mail address to DoubleClick without your knowledge or consent is not "common sense", it's an egregious privacy violation, and I _very_ much wanted to publish that fact.

THERE WERE ZERO PLUGS FOR OUR COMPANY ANYWHERE in my original posting. On the "SHOW ME THE BUG" E-Mail, there was a single line that mentioned our newsletter. I take offense to the "stealth spam" comment -- we've spammed no one. We simply published a security bug and gave you a mechanism for you to see it for yourself.

As many have pointed out, there was a separate e-mail with open job listings positions for our company in the Hotmail account. I did this since I figured (1) it couldn't hurt, and (2) we went to the effort of providing the links and the scripts and thought someone might be interested in knowing more about us and might even want to help in our effort to create a 100% open source, completely "free" privacy protection product. I apologize for this -- I didn't realize how much people would take offense to this. (Of course, no one had to click on this seperate E-Mail.....)

As for this being "typical behaviour for referers".... As many astute commenters pointed out, of course the URL of the previous page is passed in the referer header -- that's the point of the referer. HOWEVER, putting your EMAIL ADDRESS in a web-mail URL is as much of a privacy violation as putting your credit card number there and then serving DoubleClick ads on the page. Wake up people and think before you blast someone.

The script (http://www.meconomy.com/cgi-bin/show_hotmail_bug) that shows your hotmail address is pretty brain-dead simple -- it looks for "login=blah" in the referer, and then tells you what your address is. You never had to log into the Hotmail account -- we just provided one for those who didn't want to set up an account. I find it interesting that mature readers wern't smart enough to catch this, and then thought it a public service to disable the account to save the rest of the world....

I've set up another Hotmail account (sans any other E-Mails this time), should anyone want to take a look at the "SHOW ME THE BUG" E-Mail. user: showbugtome, pass: meconomy Please leave this up (with it's password) so those who want to validate the bug can do so. I've also posted the "SHOW ME" message at: http://www.meconomy.com/showme.html, although you _have_ to be logged into Hotmail to see the bug. Feel free to send yourself a copy of this to your hotmail account to test.

If you'd like to comment on the appropriateness of the original posting directly, please send E-Mail to info@MEconomy.com. We'll be happy to respond. Also, if you'd like more information on this bug, we'll be happy to provide it (advertisement free).

Re: RESPONSE: Promotion / Spam / "Common Sens (1.80 / 6) (#23)
by sakico on Thu Jul 13, 2000 at 12:00:40 AM EST

It isn't a security flaw, it's a place where a hotmail user's email address can be released thanks to the way that hotmail puts your userid in the http location. That the refferring location is passed to the linked page is a design feature of http, allowing clued in webmasters to redirect deep linkers to their front page if they so chose.

Two things: First, again, this isn't news as it is known to anyone who has above a beginner's knowledge about http. Your product, I assume it to be commercial, purports to do exactly what many free alternatives already offer. "revolutionary new privacy tool" - The whole thing sounds like that security page on the internet that has a basic security check and uses scare tactics to try to convince you to buy their firewall product. (See also: Norton Antivirus - We'll protect you from viruses like Michaelangelo and trojans like BO, but only after they've been in the wild wreaking havoc for a week)

Second: Hotmail accounts are supposed to get spam. It's one of the unwritten rules of the internet, meant to punish users for a) using webmail, and b) using a webmail provider that even now makes it very difficult to specify how to filter the To: header.

My point being made earlier, I'm not about to go changing any details on the current hotmail account (if it hasn't yet been done). I simply think that people should be voting this story down as it is much ado about nothing.

[ Parent ]

Re: RESPONSE: Promotion / Spam / Common Sense (3.00 / 3) (#24)
by MEconomy on Thu Jul 13, 2000 at 12:22:15 AM EST

I have issues with the argument that you should be punished for using WebMail -- I know _many_ people in non-US countries that only have E-Mail because of such free services. It's nice when you have choice, but when you're only mechanism for communication is the Internet cafe in the center of town because you don't HAVE phone service, let alone a computer, the world is a _very_ different place.....

Re: Referers -- Assuming that "anyone who has above a beginner's knowledge about http" knows that Hotmail sends your E-Mail address to third party sites without your permission when you view an HTML E-Mail is as absurd as storing your users E-Mail address or credit card numbers in the URL. It's one thing to send the fact that you came from Hotmail, it's a completely different thing to broadcast personal information.

Re: MEconomy -- The point was not to discuss MEconomy, pitch our product, or get free advertising (as I explain above). The point was to let people know that Hotmail was leaking their E-Mail addresses without their knowledge or consent. I hadn't heard of this particular Hotmail bug (and still can't find any mention of it in the rags -- if you know of one, please send them to me)

[ Parent ]
Re: RESPONSE: Promotion / Spam / Common Sense (1.20 / 5) (#26)
by sakico on Thu Jul 13, 2000 at 03:04:04 AM EST

Rather than flaming you for blatently missing a few aspects to my post, I'll simply say that I'm resigned to the fact that this article looks bound for the mainpage despite the (to my eyes) apparent lack of merit.

First, people should know that this has been happenning for years. Secondly, what difference does it make if Doubleclick gets my email address? (they won't get mine easily, but I wouldn't care that much if they did.) They can't do a heck of a lot more with it than they can with IP addresses, cookies, etc.

But then, I'm not a profile-paranoia nut. I use credit cards to buy trivial items, get two air miles for filling my tank, save four cents on groceries by using my club card, etc. If this means the fliers I get in my mail box might not go straight into the trash (targetted ads, see), all the better.

In any event, this strikes me as an event nearly so worthy of attention as the famed NSA_Key incident.

[ Parent ]

Re: RESPONSE: Promotion / Spam / "Common Sens (3.50 / 2) (#36)
by adamsc on Thu Jul 13, 2000 at 01:56:16 PM EST

Two things: First, again, this isn't news as it is known to anyone who has above a beginner's knowledge about http.
This is deliberate deception. That beginner's knowledge of HTTP would include the knowledge that the referer field exists. Putting sensitive information in the URL is pure laziness and demonstrates a complete lack of awareness for security issues- there's a reason sessions are so common.

Again, the referer field existing is not news. A major service completely forgetting both basic security theory and numerous past problems is.

Second: Hotmail accounts are supposed to get spam. It's one of the unwritten rules of the internet, meant to punish users for a) using webmail, and b) using a webmail provider that even now makes it very difficult to specify how to filter the To: header.
I really hope this is a failed attempt at humor.

[ Parent ]
Trivial to fix (4.30 / 6) (#35)
by Anonymous Hero on Thu Jul 13, 2000 at 01:15:20 PM EST

On Linux anyway; dunno about netscape on other OSes:
  1. Quit netscape
  2. Add the line:
    user_pref("network.sendRefererHeader", false);
    to your .netscape/preferences.js .

Voila, Netscape will now never send the "Referer:" field.

Note that this may cause breakage on other sites that use the referer field as a mild form of access control (e.g. to ensure that a story isn't being linked to from a third party site).



Very common (2.00 / 1) (#37)
by Anonymous Hero on Thu Jul 13, 2000 at 02:07:36 PM EST

I remember looking at various website referrers through some free service. It just so happens one websurfer worked for channel4000.com, and it showed the referrer from that site. Guess what else it showed? The employee's username and password, right in the clear. Is that something that could be cleaned up on the server side?

This is going to be fixed soon (5.00 / 1) (#39)
by Anonymous Hero on Thu Jul 13, 2000 at 10:54:12 PM EST

Somewhere in the late August to early September timeframe this will be fixed - usernames will no longer be exposed on the query string. I have no idea whether this was intentional, or whether it was merely an accidental consequence of a change which was made for other reasons.

Posted anonymously for reasons which will be obvious if you think about it.

Hotmail Sends Your E-Mail Address to Sites via HTTP Referer | 39 comments (16 topical, 23 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest Đ 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!