Hacker News

58 Comments:
fsckin said 3 months ago:

Storytime!

When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email and could view/edit PII for anyone with very little (if not zero) accounting or auditing. It was protected by plaintext auth and open to the internet.

One employee told me that he caught his wife cheating by reading her mail.

Another used it to recover their own stolen EQ account worth thousands.

I personally used this access to help a friend recover a hacked/stolen Hotmail account. I told them the email address, what had happened to it, and they forwarded me a screenshot of their Passport.NET PII details for them to use the self-service password reset.

Obviously not much has changed.

chrsstrm said 3 months ago:

Just prior to your mentioned timeline Hotmail was vulnerable via query string params. A rather non-technical friend of mine brought this up in conversation and I didn't believe him, so he told me to log in to my account. He took a quick look at the URL and wrote down a param, then logged into my account on his machine. IIRC it was patched about month later but still, those early days of the web were pretty wild.

HyperTalk2 said 3 months ago:

In 2002-2003 you could access anyone else's Hotmail account by going to your own Settings page, adding an input field with the ID "SignInName", entering the email address you want to switch to, and clicking Save.

kerng said 3 months ago:

Imagine how security and oversight is at the typical startup company with millions of users today? Probably not much different.

clubm8 said 3 months ago:

Do you think things like this happen regularly nowadays? Most companies have logging in place but I'd assume there isn't resources to audit those logs unless a compelled by an outside complaint...

mywittyname said 3 months ago:

I've worked at some rather large companies with insanely relaxed security and auditing standards. I think it's even worse now than before because cloud providers make setting up a database cheap and simple. So today an individual or small team can throw together a production-scale MongoDB in a few hours and start filling it with potentially PII; whereas 10 years ago, something like that stood a good chance of having at least one external DBA/IT-person consulted before going into prod.

My line of thinking is to assume auditing and access controls are lax unless the data in question is part of the company's secret sauce, or is regulated by the government.

jonny_eh said 3 months ago:

PII is personally identifiable info?

What's an EQ account?

otachack said 3 months ago:

EverQuest, I assume, which was a popular MMORPG prior to World of Warcraft

fsckin said 3 months ago:

Yup.

jsiepkes said 3 months ago:

I'm guessing EverQuest, which was pretty popular at that time.

d4mi3n said 3 months ago:

Probably EverQuest

mgoia said 3 months ago:

I remember knowing people on IRC who "had friends at Microsoft" who could do this kind of stuff to your MSN account, and I heard of people having their accounts stolen, but I never believed it. Guess there was some truth to it...

saulrh said 3 months ago:

Let me get this straight: They were able to use a single helpdesk account password for six months to read arbitrary emails from arbitrary user accounts. There was no 2fa. There was no auditing. There was no integration with any sort of ticketing system ("you can only access an account if you're working on that specific user's ticket") or paperwork ("reason for access:"). There wasn't a single piece of automated monitoring to detect this account accessing accounts off-hours or accessing multiple accounts simultaneously. And this went on for six months. Did I misread something?

tialaramex said 3 months ago:

I've built systems which required "helpdesk" type access and had auditing, but the problem is where do think "audit summary report" is on the TODO pile for the people getting those summaries? I'm guessing it's between "Delete unread" and "I really ought to get around to it but I'm too busy so I never do".

Even when it comes to third party audit, those are ring binder driven processes. Does the audit report get generated? Yes, check. Does the person it goes to have a requirement to check it? Yes, check. Done, pass. Auditors _might_ ask to see an example report, but they definitely aren't going to add bogus entries to see what happens for example.

Spot checks aren't a thing in almost any industry. "Chaos Monkey" style checks aren't a thing anywhere at all. So it's easily possible that for six months (or three months) Microsoft was generating internal reports that said "Bob the Helpdesk worker has accessed ten times more user emails today than anybody else" and nobody was asking "Wait, why is Bob an outlier?".

With a targeted attack like this one, your suggestion about requiring a ticket doesn't help very much, the attacker is motivated to jump through hoops unlike script kiddies looking for low-hanging fruit. Insider fraud at banks has been known to go as far as a fake "customer" phoning up to authorize the steps that the bad guys want to take, so that there's an authorization on record when they do them and it won't immediately be flagged as a problem. The real customer may later convince a court that it wasn't them, but that's not real time, the insiders are long gone and so is the money.

Now, you can build systems where it's just impossible for even your own people to get access. But that has a high cost, as you will see in every thread where people castigate Google because they got locked out of something. Why can't Google just hire helpdesk people who have super-user access, they ask...

saulrh said 3 months ago:

Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses. They handle a ton of email for a lot of people, people depend on them, and they are a big target.

If this was a specially privileged superuser account, it should have had more attention paid to it. Yes, it's hard to scale audits or monitoring to the entire customer support org. But if you only have three people that can actually read people's emails, you can certainly audit just their use.

If it's not a specially privileged superuser, then every random helpdesk account can read everything from everyone. This does not inspire confidence.

And even skipping all the complex systems that should have been in place for a system the size of Hotmail: Why did this account not have 2FA? This is basic stuff.

dragonwriter said 3 months ago:

> Yes, I wouldn't expect to find much rigor at Cousin Ricky's house of email. This is Hotmail. They don't have any excuses.

It's consumer Hotmail. From Microsoft’s perspective, that is probably excuse enough.

Of course, I've seen pretty bad things in large HIPAA covered entities with systems with PHI; insufficient security and accountability of support accounts and recovery processes is found lots of places.

arcbyte said 3 months ago:

Arcbyte@cousinrickeyshouseofemail.com has a nice ring to it

dragonwriter said 3 months ago:

> I've built systems which required "helpdesk" type access and had auditing, but the problem is where do think "audit summary report" is on the TODO pile for the people getting those summaries? I'm guessing it's between "Delete unread" and "I really ought to get around to it but I'm too busy so I never do".

Auditing isn't a system feature, it's a business process feature. A system can have logging and even detection of situations requiring auditing, but if no one is systematically reviewing—auditing—the results, it doesn't have auditing.

tialaramex said 3 months ago:

This is an excellent point, thank you for putting it that way. I can't correct my post now, but this point is something I will definitely emphasise in any future system where I'm told audit is a requirement but I doubt that my technical work will actually deliver the effect intended because the "business process" part won't get done.

jammygit said 3 months ago:

I wonder how fastmail is in this regard. Makes me want to reopen my protonmail account honestly

RandomBacon said 3 months ago:

They definitely have access to at least some things. Not sure how it's audited or managed, etc on the backend. I had a problem with something, and what they said seemed to indicate the person I messaged looked at my stored information.

I do like that they have customer service though.

0xffff2 said 3 months ago:

>Now, you can build systems where it's just impossible for even your own people to get access. But that has a high cost, as you will see in every thread where people castigate Google because they got locked out of something. Why can't Google just hire helpdesk people who have super-user access, they ask...

I don't see how allowing helpdesk operators to help users recover access to their accounts has any relation at all to the helpdesk operators having access to the account itself. They need to be able to access and update account metadata, not the account itself.

tialaramex said 3 months ago:

> I don't see how allowing helpdesk operators to help users recover access to their accounts has any relation at all to the helpdesk operators having access to the account itself. They need to be able to access and update account metadata, not the account itself.

So in your system the bad guy can't read my email because he only has the ability to access and update account metadata such as my password and the helpdesk system doesn't give him access to the actual email?

That would work, unless any of the bad guys is smarter than you and realises that they can use this metadata to... log into my account and read my email.

0xffff2 said 3 months ago:

>That would work, unless any of the bad guys is smarter than you and realises that they can use this metadata to... log into my account and read my email.

No need to be so rude and disrespectful.

Obviously there needs to be a password reset mechanism. That mechanism can absolutely be designed in a way that does not involve the helpdesk operator having access to the password or the account.

CamJN said 3 months ago:

People get locked out of their accounts because in addition to losing their password, they don't have access to the recovery email/phone/whatever which they already set (or never set one at all). If the helpdesk operator has the ability to change or otherwise set a destination for a recovery email/token/pin/secret to be sent then they have the ability to set their own account/device as the trusted reset device/account. There really isn't a way that normal people can use that would allow a helpdesk operator to give them back access to their account without also allowing the helpdesk operator to gain access to the account themselves if they so choose.

0xffff2 said 3 months ago:

Gaining access is different from having access though. The mechanism you're describing would require that the bad actor reset the user's password, which would at least set off some alarm bells. That's very different from being able to eavesdrop invisibly.

theaustinseven said 3 months ago:

If the password is stored in plaintext or can be changed by an admin(in a method other than a reset where the user still sets the new password), we've got other problems.

said 3 months ago:
[deleted]
bovermyer said 3 months ago:

You understood it correctly.

There are a great many failures of process here.

runn1ng said 3 months ago:

Microsoft claims it was just 3 months. Otherwise, on point.

dsfyu404ed said 3 months ago:

90 days is a pretty typical rotation period for credentials. They probably noticed this when they rotated the password and the account got locked from wrong password attempts in short order.

packet_nerd said 3 months ago:

Not surprised at all. This is the way enterprise systems are.

It's a little depressing to go to work and try to deal with the atrocious stuff I have to deal with, and then think how much of my life is online at companies probably just as bad as my own.

wnevets said 3 months ago:

Surely gmail doesn't have something this terrible, right?

judge2020 said 3 months ago:

There's a blog post titled Into The Borg[0] that states:

> There is also a user “legal-discovery@prod.google.com” that has permission “auth.impersonation.impersonateNormalUser”

So it exists, but hopefully Google doesn't have the same issues with giving helpdesk employees access to impersonation.

0: https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-...

NullPrefix said 3 months ago:

>And this went on for six months

By "this" you mean "Someone had access to that particular help desk account", not the whole system ?

cheeze said 3 months ago:

Sounds like Microsoft...

0xffff2 said 3 months ago:

This is totally insane. I'm totally baffled by the idea that Microsoft considers it okay for anyone except the owner to have any level of access to personal email accounts.

mrmuagi said 3 months ago:

Having the 'owner' of the e-mail address have the only access is a better extreme than having everyone have access, but I don't think that's feasible. People within Microsoft will always have the ability to access e-mail accounts, the question is if they are the right people and how big that group of people should ever be.

If you are talking about secure e-mail cryptography philosophy along the lines of PGP, ProtonMail, et cetera, sure you can achieve that through those means. Otherwise it's a pipe dream with a product like Outlook that's built for businesses and having AD style control.

kerng said 3 months ago:

Of course there has to be a way to access email- how would they troubleshoot or fulfill legal investigations?

The problem is that an attacker can follow the "legitimate" path - and such attacks should be audited and detected, which is what obviously failed here.

Makes you wonder how vulnerable less mature services are...

jammygit said 3 months ago:

I'm imagining a future cottage industry with companies holding offices in India/Russia/China/<elsewhere> with a full staff reading emails for blackmail material

(naturally finding a politician or celebrity once in a while)

scarmig said 3 months ago:

"Future."

said 3 months ago:
[deleted]
EduardoBautista said 3 months ago:

This further justifies my decision to use an email provider like Protonmail where only I can decrypt my emails' contents.

kerng said 3 months ago:

Interesting to understand the reason for the attack, it's to recover iCloud passwords so they adversaries can sell stolen iPhones! Wow!

Bhilai said 3 months ago:

Why would a customer support person need access to people's email without even seeking the customer's password ?

watermelon0 said 3 months ago:

Support people should never require customer's password, and they should have to get explicit permission to access their account.

For example, they can get access to basic information and option to reset password, if user forgets the password. For anything else, they should get explicit permission (or it can be granted automatically when user opens a support ticket when he/she is logged in, if that's properly specified when creating a ticket).

dRaBoQ said 3 months ago:

Maybe to help them recover their password ?

rad_gruchalski said 3 months ago:

Read my emails to recover my password? That‘s what „forgot your password“ link is for!

Daniel_sk said 3 months ago:

I am sure glad I switched to ProtonMail.

danra said 3 months ago:

Not sure why you were downvoted.

Protonmail stores all your emails encrypted, with the encryption dependent on your password, so something like this couldn't happen there.

RandomBacon said 3 months ago:

Seems like if ProtonMail can encrypt them automatically, then they can potentially be decrypted by someone at ProtonMail.

Reasoning:

Are emails automatically encrypted with a hash of the user password when they are received?

If the user forgets the password, how do password resets work?

Are the emails before the password reset "lost", or does ProtonMail keep a copy of the hashed password (which I suppose would be needed to log in with in the first place) to unencrypt the older emails, and re-encrypt with the newer password?

EduardoBautista said 3 months ago:

They are not encrypted using the user's password. They are encrypted using a standard PGP public key.

int_19h said 3 months ago:

Yes, you lose your old emails if you reset password on ProtonMail.

saganus said 3 months ago:

Really? are there any docs I can read related to this?

It certainly is something that users should probably be aware of. At least I would...

kerng said 3 months ago:

If they really use your password to encrypt, they can also decrypt your emails. I doubt they would advertise this as encryption... I'm not sure what they do technically, but using the password doesnt sound like a good mechanism.

said 3 months ago:
[deleted]
sureste said 3 months ago:

This is totally not something that NSA uses by the way.