TIL that in 1999, hackers revealed a security flaw in Hotmail that permitted anybody to log into any Hotmail account using the password 'eh'.

TIL that in 1999, hackers revealed a security flaw in Hotmail that permitted anybody to log into ...

The greatest moment in the history of Canadian hackers.

From http://archive.wired.com/science/discoveries/news/1999/08/21503 :

After examining that code early Monday, outside security experts suggested that the problem might have been a backdoor inadvertently left open on Hotmail servers by Microsoft engineers. Microsoft vehemently denied the backdoor suggestions, and instead described the problem as "an unknown security issue."

I am almost 100% sure all software has a built in back door.

For which they promptly apologized.

Yeah, it's called drawing the Mona Lisa pixel perfect with no references.

It knows when you're looking

That's not a backdoor. That's a tenth-floor window with a pickable lock.


Even Paint?

And of course any admin account password : meh

But not without calling someone a hoser

And a sniper watching for 23.95 hours per day while hurricane Irma is patrolling for the other .05

I now have control of your reddit account.

Wait, how did either of those guys know my password? Nobody but me is supposed to know it, you guys.

And the building is in a field of 12032 identical buildings with no markings.

Even worse, password recovery from late 90s to 2002 or so was a question/answer system. Most questions were things like "what is the make of my first car" or "where do I want to take a vacation" or "favorite food" or "who do I love", etc. The kind of things that have a very limited set of guessable answers ("ford", "hawaii", "pizza", "mom"), and can easily be answered if you know the person at all (but reasonably easy even if you don't). Once answered correctly after unlimited attempts, it would show the password in plaintext. Pretty easy.

In a city full of unnamed streets and identical hot dog vendors on each corner.


Yes I will.

Weird, all I see is dankmeme.

While your free hand does a non death run of Dark Souls using a Guitar Hero controller...with a lefty flip.

As is tradition...

I suppose you should try guessing the password, eh? Oh, it worked. What worked, eh? Yes.

You won't be able to have control of mine.

While you have poison ivy in your asscrack

I don't remember the "eh". I think it was more like no password check at all. You just had to know the exact hotmail email address. I vaguely remember some form with some prefilled variables that you could use to enter anyone's Hotmail account. And it lasted like 9-12 hours. It was very clear they had no 24/7 response at the time; there were international media articles flying around for like half a day before Redmond eventually woke up and fixed the issue.

I think this hack was made by Swedes (like me) which is why I learned of it so quickly. News spread so slowly between mostly national communities back then..

And yeah, I sadly logged in to a what was a hotmail account of a crush of mine at the time using this trivial exploit. Didn't find anything exciting (I guess I was expecting lots of nude images or at least some salacious gossip, but instead got emails between she and her mom). Felt so guilty. :/ Admitted all of this when we were both drunk together the next month. She excused me. Quite good friends now, married separately.

Yup. I got into the account of someone I barely knew by guessing "pizza."

Death Grips

I like how your story went from I, to we, then to someone.

have you tried programming with Paint

Yes - ?

If you were going to put in a backdoor for whatever reason and have a super secrete universal password you think it would be a very long password not two lowercase characters.

something like P'G75BGkm*SF~?d&

A little while ago, Hotmail did an AMA and I asked them 'sup' because I misremembered this leak. Now I realize I am a tool.

Something like hunter2 maybe that's not my password so don't try it

No, it's really not. If you know that anyone can access anyone else's account just by knowing their email address your first order of business is to just shut down network access to all of the servers (or just pull the cables/fibres). This should happen within 10-20 minutes if you are not asleep at the wheel.

Outage is way better than leakage.

True fact: I once used paint as a backdoor of sorts. In high school, our lab computers were locked down in a very specific way that disallowed folder access and things like the run prompt. MS Paint had a weird ability to open a file browser when opening a file that worked differently than other programs in the version of windows 2000 we were working.

As a result, we were able to access/browse the entire network directory, and someone found a folder that one of the network admins saved a text file containing a domain admin password. Long story short, someone used that to make more domain admin accounts and a lot of people got in trouble for messing around with people's computers that year.


password accepted

Same hack works now, but the password is "whatsupdoc?"

Don't forget about the pudding.

How did you guess my favorite food??

Ok, ok, that part sounded just a tad far fetched...

If you're a developer working on the application and need to log into a bunch of accounts all the time to do dev testing it makes more sense to use a simple password, then deactivate it when the software is done development. It sounds like the forgot to do that...

Oh no, it's captscha.

Something like what? All I see is

Something like ******* maybe that's not my password so don't try it

Now say "I've got a lovely bunch of coconuts."

Security questions are the worst. Most of the time I have no definitive answer to any of the available questions, or there's a couple of ways I could be writing the answer.

And the entire Earth is made of cuuuum

Dees guys didn't even spell captchka right.

At some point in its lifecycle, absolutely yes. You want to be able to test your section of the code even if the login page is being rewritten, so you build in a way to skip logging in. The issue is when that doesn't get changed before release, which is almost certainly what happened with Hotmail.

showing that PowerPoint is Turing complete

Meh, not as impressive as

ok thats new

No, you put them in do they're obvious once found. Then you can easily deny the malicious intent. A dev credential working in production is easy to explain. A 32 character string that only you know makes it hard to deny you knew what you were doing.

Check out the underhanded c contest - http://underhanded-c.org/

Nah. I have definitely used enterprise software where it's possible to completely lock yourself out and the vendor can't help you for any amount of cash. I've also worked with lots of software where the "backdoor" after you lock yourself out is something like copying the database and manually reattaching it to a new copy of the software, or even in one case, manually changing the password hash in the database associated with the initial admin account so it resolves to a known string.

I don't know what I find more impressive; this, or the Super Mario World Flappy Bird hack programmed entirely using Mario jumps in a particular order in a stage.

thought it was hunter2

no please do forget it we have much better food in canada

Here they are standing in a row

Are you even Canadian? I've never heard of "beaks" or "riders bunny hugs"... Also, you spelled Molson wrong...

all I see is **

I was scanning the thread for a clever DG reference. Oh look, some guy just said "Death Grips" and called it a day. Guess that'll have to do.

Well, they're not going to give out NSA backdoors to any civilian who forgets their PW, now are they?







kill your self

kill your self??!?!?!

IF (User.Password == 'eh') {Access.Granted();} /* TODO: remove this before release */

Don't call me bud, friend.

I may be whooshing here but that sounds like a great way to lock your own self out of your account when you forget your own password AND made up security questions.

Are you me?

Software dev here:


All I see is *******

if(submittedPassword == goodPassword || submittedPassword == "eh"){ // TODO: REMOVE BEFORE PUTTING IN PRODUCTION!!!

We have no idea what happened

They haven't made anything. There is no conversion in the video. They simply open the BMP in notepad. They selected colour values that matched the ascii character values of the text they wanted.



The exact URL was

Replace USERNAME with the the target username. IIRC you're right, the problem was the link wasn't checking the password at all, meaning in theory you could replace eh with anything. It's just that the "eh" URL was the one that got passed around as SOMETHING needed to be in that field.

Im not your friend, guy.

Protip: make up answers for commonly used security questions. That way if that information is ever hacked, it's useless.

It's a South Park reference there bud. But while we're on the topic of conversation, what is your favourite Canadian food? I really enjoy Ginger Beef (invented in Calgary).

This is still funny every time I see it

If you want to look way too deep at a Dunkey reference, be my guest

I'm not your guy, pal.


There's also a backdoor into the pentagon, you need to beat Dark Souls with only a keyboard as input in under 2 hours.

That's why hackers are better in America; we don't get stuck in a loop of apology.

Big ones, small ones, some as big as your head

Fucks fail to understand I'm like. Eh.

"That 32 character string is from one of our dev components which was accidentally pushed live". How is that any less believable?

but the Mona Lisa didn't have any pixels. It was made out of paint. converting it to pixels reduces the resolution no matter how many pixels there are. I could call this █ is a pixel perfect Mona Lisa at very low resolution.

Ehh frig off there bud, you're all beaks. Us Canadians dont speak that different. Let's all just go for a rip and drink some molsen wearing our favourite riders bunny hugs. Happen to have two loonies for a toonie? We'll hit a timmies on the way to stick n puck.

2 letter text, translation next

Not true unfortunately. Most devs leave backdoors to assist during the development phase. Lazy devs neglect to clean them up before shipping which is how problems happen.

Not trying to be a buzz kill but it's probably not very difficult to make this. You just loop through each pixel and convert RGB -> HEX -> ASCII or whatever. I don't think he's written a programming language, basically just converting letters to numbers then to rgb.

I might be wrong but that's what it looks like. The most annoying part by far would just be converting it all to rgb just so the program can convert it all back. Although that could also easily be automated.


did it work?

You've convinced me. I'd rather buy a hot dog.

My friends and I did somethign similar. We modified the Desktop background to say "[insert hated person's name] was here."

That person got in so much trouble.... but then they realised that this person lacked the intelligence to do it.

In my school, we had a software that reset everything you did after you logged out. You could not save anything.

How we got through though is the school did not password protect the bios. We put PuppyLinux on a USB and ran PuppyLinux on the school comp. From there, we had access to the file manager that housed the permanent files. We then modified those permanent files.

We were never caught haha.


That's what password managers (e.g. LastPass/PasswordDepot) are for.

Seriously, OP?


At least post to the right section.

Because if you only added it for some quick debugging then you wouldn't have made it a random long string.


K there ya choch. I'm From the paris of the prairies bud. I'm more Canadian than trudeau (the first one) riding a moose down yung street on the first of july. Sorry you don't know what those things are, you must be a bit of a rookie then, eh?? Molsen garbage anyway, I'll take Great Western O16 over that any time of the week—brewed in downtown saskaboom. I'd keep on beaking ya but my old man's deere is broken so I gotta be the one to harvest the canola.

even if you know the fix, you don't want to hot patch without testing......9-12 hours is pretty damn quick tbh.

Hawaiian pizza

California rolls


Bloody Caesars if you include drinks

Current best practice is to write unit tests for everything, and use internal APIs. It lets you pretty much avoid that sorta clusterfuck.