The Daily WTF: Curious Perversions in Information Technology
Welcome to TDWTF Forums Sign in | Join | Help
in Search

Windows Live Password Reset Email

Last post 11-26-2007 11:36 AM by Jetts. 17 replies.
Page 1 of 1 (18 items)
Sort Posts: Previous Next
  • 11-23-2007 8:41 AM

    • jackie
    • Not Ranked
    • Joined on 04-16-2007
    • Belfast, UK
    • Posts 6

    Windows Live Password Reset Email

    Locked Reply Contact

    Anyone else think this email is slightly odd? <> denote personalised  info:

    ------------------------------------------------------

    Hello, <EMAIL ADDRESS>

    We received your request to reset your Windows Live password. To confirm your request and reset your password, follow the instructions below. Confirming your request helps prevent unauthorized access to your account.

    If you didn't request that your password be reset, please follow the instructions below to cancel your request.


    CONFIRM REQUEST AND RESET PASSWORD

    1. Copy the following web address:

    https://accountservices.msn.com/EmailPage.srf?emailid=<GUID>&urlnum=0

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

    2. Open your web browser, paste the link in the address bar, and then press ENTER.

    3. Follow the instructions on the web page that opens.


    CANCEL PASSWORD RESET

    1. Copy the following web address.

    https://accountservices.msn.com/EmailPage.srf?emailid=<GUID>&urlnum=1

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

    2. Open your web browser, paste the link in the address bar, and then press ENTER.

    3. Follow the instructions on the web page that opens.


    OTHER INFORMATION

    Windows Live is committed to protecting your privacy. We encourage you to review our privacy statement Privacy Statement at http://g.msn.co.uk/2privacy/engb.

    For more information, go to the Windows Live Account site at https://account.live.com.


    Thank you,

    Microsoft Customer Support

    NOTE: Please do not reply to this message, which was sent from an unmonitored e-mail address. Mail sent to this address cannot be answered.
     

     

  • 11-23-2007 8:49 AM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe *2* pixels. 

    -- Never play leapfrog with a unicorn
  • 11-23-2007 9:46 AM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    MarcB:

    Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe *2* pixels. 

    Aside from the copy and pasting a url from an unverified (and red-flaggy) email address and submitting data to that url, sure everything seems fine.
    irc://irc.slashnet.org/#TDWTF (Redirects to #CodeLove)
    <anon> Goddamnit, I wish I still had a gf to make a bikini for
  • 11-23-2007 10:17 AM In reply to

    • Daniel15
    • Not Ranked
    • Joined on 01-27-2007
    • Mountain View, CA
    • Posts 266

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    IMPORTANT: Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.
    Described above? Above where? That bit of text is right in the middle of the instructions...
  • 11-23-2007 10:30 AM In reply to

    • jackie
    • Not Ranked
    • Joined on 04-16-2007
    • Belfast, UK
    • Posts 6

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    Even better is that the urls are actual hyperlinks just begging to be clicked on
  • 11-23-2007 10:45 AM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    The real WTF:

     

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.
     

     ... but of course copy and paste isn't enough to stop a phish.  The instructions would have to get a bit lengthy with phrases like "now inspect the URL for any elements that could be a problem.  Perhaps the domain name www.godaddy.microsoft.com isn't really owned by microsoft.  Perhaps the letter o in www.microsoft.com is actually the Azerbaijaini sanskrit  Unicode for their vowel "owww".    Perhaps the URL looks fine up front but in the end redirects to  pirates.ru.  Yes, learn to be a internet detective and inspect every URL for many minutes before following any link.
     

  • 11-23-2007 10:56 AM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    MarcB:

    Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe *2* pixels. 

    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link. Perhaps, Microsoft is building a spambase of their users? 8=]

    ╩юфют√ь ёЄЁрэшЎрь яюЁр эр яхэёш■.

    #TDWTF @ SlashNET was merged into #codelove @ the same network. You're still welcome to drop by. I guess.
  • 11-23-2007 12:06 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    Lingerance:
    Aside from the copy and pasting a url from an unverified (and red-flaggy) email address and submitting data to that url, sure everything seems fine.

    Well, in theory, this email would have come as a response to you hitting a "I forgot my password" link on the site. Unless the net's totally congested right then, this reminder email would've shown up with a minute or so of you having hit the link. The odds of a phishing mail showing up, for the exact same service you just requested the reminder for, are pretty low.

    Now, of course, if this was totally unsolicited. ie: it is a phishing attempt, or some numbnut entered your email addy by mistake (s00pahcoold00d325@hotmail.com and s00pahcoold00d326@hotmail.com are so easy to confuse, after all), then yeah, I'd be a bit suspicious.

    Besides, pretty much every talking head on the "OMG YOU CAN GET HAXX0RED!!!!!" segments on the news are advocating you cut'n'paste links from emails in any case. If the mail's legit, then somehow you're going to have go get the confirmation code (or whatever) from the reminder mail into the browser.

    If it's fake, then go ahead and click, or cut'n'paste, or re-type, either way, you're pwned. At some point the luser has to take a bit of responsibility for doing SOME basic due diligence.
     

    -- Never play leapfrog with a unicorn
  • 11-23-2007 12:46 PM In reply to

    • Kemp
    • Top 500 Contributor
    • Joined on 09-21-2006
    • Posts 126

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    They're specifically giving advice relating to avoiding attacks where the link address is different to the link text. Of course if they're the same then you'll go to the same place, but often phishing emails have links that go somewhere else than the text would imply (having the link text looking like a legitimate link). The advice is good, but obviously not a substitute for checking properly *before* going there. Either way I call not a wtf.
  • 11-23-2007 5:33 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    The last two links don't have the "don't click on me" thing?
    TRWTF is Community Server
  • 11-23-2007 5:37 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    Spectre:
    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link.

    Agree, TRWTF. 

  • 11-23-2007 5:50 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    Matevžk:

    Spectre:
    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link.

    Agree, TRWTF. 

    There are scenarios where that is not sufficient. For example:

    Attacker requests a password reset in your name.

    Attacker has broken into your email, and intends to reset your password.

    If there's no way to cancel the request, there's no defense. But if you get to the email before the attacker, and cancel the request, you're OK. It's a bit far fetched I know, but withing the realm of possibility.
     

    TRWTF is Community Server
  • 11-23-2007 6:36 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    I like this: 

     


    jackie:


    1. Copy the following web address:

    https://accountservices.msn.com/EmailPage.srf?emailid=<GUID>&urlnum=0

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

     

    And then this:

     

     


    jackie:



    Windows Live is committed to protecting your privacy. We encourage you to review our privacy statement Privacy Statement at http://g.msn.co.uk/2privacy/engb.


     

    So what is the difference between that link and any other link that they "recommend" you don't click on? 

     

  • 11-23-2007 7:03 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    It says 'as described above', when actually it is described below.
  • 11-24-2007 3:20 AM In reply to

    • Daniel15
    • Not Ranked
    • Joined on 01-27-2007
    • Mountain View, CA
    • Posts 266

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    Lazy-lump:
    It says 'as described above', when actually it is described below.

    Well...

    Right above that "as described above" bit, it says "1. Copy the following web address:" and right below it, it says "2. Open your web browser, paste the link in the address bar, and then press ENTER", both of which are part of the instructions. So the "as described above" bit is actually in the middle of the instructions...

  • 11-24-2007 6:40 AM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    m0ffx:
    There are scenarios where that is not sufficient. For example:

    Attacker requests a password reset in your name.

    Attacker has broken into your email, and intends to reset your password.

    If there's no way to cancel the request, there's no defense. But if you get to the email before the attacker, and cancel the request, you're OK. It's a bit far fetched I know, but withing the realm of possibility.

    That very scenario happened several times to various players of a certain online game that prides itself on its "real cash economy".  They'd gain access to the email account, request a new in-game password and then transfer all that players items and money to another in-game avatar.  They would auction off the players items for whatever they could get from the in-game auction system and then withdraw all the money out of the game.  By changing the password it did two things (1) let them access the players avatar and (2) it locked the player out of the game so they couldn't stop what was going on.  When the real players tried to log in they would get a message stating that they were already logged in.  A few created secondary avatars and after some wandering actually found their original avatars in-game.  I don't remember the finer details beyond them being a proper show-off and openly telling them stuff like "yer I hacked your account, so what?".

  • 11-24-2007 3:33 PM In reply to

    Re: Windows Live Password Reset Email

    Locked Reply Contact

    RandomPoster:

     

     

    So what is the difference between that link and any other link that they "recommend" you don't click on? 

     

    That link doesn't contain information that can be used to reset your account password. Come on man, this isn't rocket science. None of this is a WTF. 

  • 11-26-2007 11:36 AM In reply to

    • Jetts
    • Not Ranked
    • Joined on 09-27-2007
    • AB, Canada
    • Posts 64

    Re: Windows Live Password Reset Email

    Locked Reply Contact
    Tann San:

    "yer I hacked your account, so what?".

    Internet pirates strike again.  "Yar, I be not payin' for this content, ya lubber!"

Page 1 of 1 (18 items)
Powered by Community Server (Non-Commercial Edition), by Telligent Systems