Hotmail security lapse

freddystarr

Hi ,

Twice today , I logged onto my hotmail account from my vodafone mobile and ended up on 2 different persons' hotmail accounts!
In neither case did i enter any id or password bar my own.
I have searched for news of a lapse of hotmail security today but found none.

It definitely has me worried about their security.

Coincidentally or not ,the names seemed to be Irish so perhaps it was a local lapse of security only , not interbational.

Has anyone else experienced this today or recently?

cheers

Freddy

bushy...

If you watch the "address bar " ( not too easy on a mobile ) does it change from "https" to "http" when it gets to the page with your inbox and all that ?

Shzm

Most likely a caching on Vodafones part than Hotmail itself. This would be why you found that the accounts you saw had Irish names.

Jaden

http://www.siliconrepublic.com/news/article/13022/comms/hotmail-mobile-back-online-after-privacy-glitch

probe

Confirmation, if it was needed, that Vodafone appears to be storing your email and probably other traffic. Who knows where it is ending up?

http://www.dataprotection.ie is a waste of money and should be shut down forthwith.

rmacm

probe wrote: »

Confirmation, if it was needed, that Vodafone appears to be storing your email and probably other traffic. Who knows where it is ending up?

http://www.dataprotection.ie is a waste of money and should be shut down forthwith.

So you're advocating the shutting down of the pretty much the only advocate for peoples privacy in the country.....that doesn't strike me as being too smart. If you have a complaint against Vodafone why not send it to the Data Protection Commissioner and see what can be done, that's what s/he is there for.

bushy...

probe wrote: »

Confirmation, if it was needed, that Vodafone appears to be storing your email and probably other traffic. Who knows where it is ending up?

Nothing too dramatic , what I was getting to above was this :

They have a proxy somewhere along the line.
It shouldn't regurgitate https pages ( be a glorified mtm attack otherwise i s'pose )

When you log in , its a https page

When you read your inbox and all the rest , they're just http pages that the proxy will recycle ( if someone was asleep setting it up )

Google mail (used to ?) behaves that way by default , goes from https to http .

Saves processing power or similar on their end probably.

bushy...

probe wrote: »

Confirmation, if it was needed, that Vodafone appears to be storing your email and probably other traffic. Who knows where it is ending up?

Where d'ya reckon does an email message "live" on something like hotmail, gmail etc ?

probe

rmacm wrote: »

So you're advocating the shutting down of the pretty much the only advocate for peoples privacy in the country.....that doesn't strike me as being too smart. If you have a complaint against Vodafone why not send it to the Data Protection Commissioner and see what can be done, that's what s/he is there for.

A total waste of time. Been there, done that. At least you in Aachen have only 6 months data retention, and only since 1.1.2009 - you terrorist you! And your German carrier is not allowed to store the content of your email or other traffic.

Anyway you should know that you are on the Bundeskriminalamt terrorist target list, along with the other 82 million Einwohner von Deutschland..... A benign country that has zero terrorism.

Ireland has no legal requirement on carriers to destroy traffic or email data, and forces them to store it for a minimum of 3 to 5 years depending on which law you read in its bureaucratic archaic non-codified legal non-system. And no real restriction on what personal data these carriers can send out of the country. Most "Irish" telecommunications carriers are controlled from outside Ireland and have the authorization of the Data Protection Commissioner to send this information out of the country. The intelligent person will have difficulty understanding why this is necessary for the conduct of their business, and will wonder what they are really up to?

http://www.vimeo.com/4631958

rmacm

probe wrote: »

A total waste of time. Been there, done that. At least you in Aachen have only 6 months data retention, and only since 1.1.2009 - you terrorist you! And your German carrier is not allowed to store the content of your email or other traffic.

I don't think it's reasonable to assume that your specific case (which may have been a waste of time for you) means that the entire concept of having a data protection commissioner is a waste of time. Heh I've been called a lot of things in my shortish life but terrorist is a new one

Anyway you should know that you are on the Bundeskriminalamt terrorist target list, along with the other 82 million Einwohner von Deutschland..... A benign country that has zero terrorism.

I'm assuming you mean they class me as a potential terrorist given your comment above? Oh well things could be worse.

Black Swan

Not sure someone can easily sidejack a Vodafone transmission after it changes from https to http (when no longer SSL after authentication), as can occur with unencrypted packets through wireless access points at hotspots? Or that you would unintentionally receive the traffic of a MITM when normally using your mobile? Rather I would think that there was a bug with your mobile carrier (Vodafone) that was the source of the unanticipated traffic?

Red Crow

Someone got into mine and deleted a few emails although I rang up Microsoft and they were recovered.

bushy...

Blue_Lagoon wrote: »

Not sure someone can easily sidejack a Vodafone transmission after it changes from https to http (when no longer SSL after authentication), as can occur with unencrypted packets through wireless access points at hotspots? Or that you would unintentionally receive the traffic of a MITM when normally using your mobile? Rather I would think that there was a bug with your mobile carrier (Vodafone) that was the source of the unanticipated traffic?

I was thinking along the lines of Vodafone having a proxy somewhere along the line between your handset and the internet , to speed things up etc etc.

It wouldn't ( shouldn't or it'd show cert errors ) cache https pages.
If it was badly setup though , it'd store and regurgitate http pages it shouldn't.

Once you finish logging into Gmail (for example) goes back to http pages - unless you tell it to "Always use https".