Tuesday, May 03, 2005

Identity Integrity: Bebo.com

This morning I received a very strange email from my sister asking me to update my personal contact information on Bebo.com. I was very skeptical that this email actually came from my sister, so I immediately emailed her to ask her if she had sent me the message. She replied saying that everyone she knows uses this thing and she lost her address book, so she would too. The message was as follows:


I am updating my address book and it would be very helpful if you could click on the link below and enter your contact details for me:


I am using a new service that helps people stay in touch. It is only for direct friends and allows
you to privately exchange contact details and view one another's photos. You choose what to share.

Thank you for helping.

At this point I'm very worried that my sister may have fallen for a scam of some sort, so I tell her that I am concerned that she may be using Bebo.com for my personal data...and she replied that she would not. She also was under the impression that Bebo.com is part of hotmail. Now I was getting worried that Microsoft was pulling a fast one on people and trying to take over the world by combining Bebo.com with their webmail service -- but I hadn't seen it on the all knowing Slashdot yet.

I did a little research on the Bebo.com website and was not able to find anything that would link them to Microsoft. I did some more googling and found that many people were receiving spam and were unhappy with how Bebo.com hijacked their hotmail password/account so I thought I would investigate this. The first step would be to create a throw-away email address with hotmail.

I created an account with hotmail called 'isthisbebo@hotmail.com'. This took a very short time, filling out each form with bogus information.

First name: bebo1
Last name: bebo2

The next step is to sign up with Bebo.com and try to find out where they link with hotmail. I then signed up with the username, 'isthisbebo'. The following information is requested about the person signing up:

My Contact Details
First Name
Last Name
Date Of Birth
Email AddressesHome
Phone NumbersHome
Postal AddressesHome

The very next page shows a couple of text boxes which allow you to enter your hotmail email account and password so that Bebo.com can show you who IN YOUR ADDRESS BOOK is already in Bebo.com. Is that scary or what? This service is using people's email accounts to access address books. Why write a virus to do this, just create a website and ask people, they will give you their passwords!! I wonder if Microsoft condones this practice? The next step was to enter my hotmail email address and password and watch it go over the wire in the clear...which it did:

Email form:

Add Friends

Request contact details from your own friends and populate your free address book.

Hotmail Users
Enter your Hotmail details below and we'll show you who's already using Bebo from your Hotmail Address Book.

Hotmail Email Address

Hotmail Password

~ OR ~

Copy and Paste the wording below into an email.
Send the email to friends to request their contact details. You can send from either your Hotmail account and/or ANY other email account you may have.
Need instructions on how to Copy and Paste? Click here

Ethereal Capture:

POST /WhosHere.jsp?Ran=289260571 HTTP/1.1
Host: bebo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://bebo.com/RequestDetails.jsp?NewMember=Y&Ran=507541617
Cookie: bdaysession=251377972379689953; Email=isthisbebo@hotmail.com; Username=isthisbebo; A=-1; G=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

ScraperTypeCd=H&Email=isthisbebo%40hotmail.com&Password=testing&OK=++OK++HTTP/1.1 200 OK
Server: Resin/2.1.16
Content-Type: text/html; charset=utf-8
Content-Length: 8888
Connection: close
Date: Wed, 04 May 2005 02:04:24 GMT

In conclusion, Bebo.com is NOT integrated with hotmail.com. The practice that Bebo.com has started of trying to fool people into giving them their hotmail username/password is very disconcerting. I am going to warn my family and friends to be very careful when using this service and not give out other email addresses or passwords. If a hacker were to compromise this system, there is no requirement for them to disclose it to the users, as far as I know -- and they would have a valid email address with password for some users. Bebo.com also reserves the right to send spam to those on their lists.

No comments: