Did I put my mac at risk?

[ibyoohoo]

I was answering a classified add and was told to got to a website to view the pictures of a classic car. When I went there Firefox warned me I was logging in to a secure site without a password. Do you wish to proceed. I clicked yes and proceeded (dumb I know).

The site turned into my very own hotmail account with me logged in? Is there any chance I was set up to have my computer or hotmail account remotely accessed?

This is where I was told to go:


step55rm@msn.com

I should have remembered the golden rule "If it's to good to be true it is"

Just a little freaked out now. Ad is bougus and all contact info for the add is fake.

 

[Makosuke]

Actually, if that's exactly the URL you went to, then you were just logging into MSN. That's an email address, not a URL, but if you treat it as a URL and give it to your web browser what will happen is that it will attempt to connect to msn.com--which is Microsoft--as the username "step55rm." MSN likely just ignores the username--most websites do--and since you were already authenticated for Hotmail it just logged you in automatically. You can test by going to msn.com (without the step55rm@) and see if you end up at exactly the same page, or trying the same thing with a random set of characters before the @ symbol, in case MSN does something different when it sees a username with the request.

Again, if that's the exact URL you went to, I can't see any way that it could have done anything untoward, since I don't see MSN hosting any malicious code on a user account. It actually sounds like someone just accidentally typed an email address as a URL.

Now, if it was another URL that just LOOKED like that to you (this would only be if you clicked a link, rather than typed the URL in yourself), then you could have fallen into what's called a cross-site-scripting attack, where a malicious site attempts to load a friendly site with some extra bit of code injected, that will in turn allow it to extract information/login info/whatever from the friendly site. There's a lot of security focus on preventing that, though, so I'm skeptical that's what was happening here.

 

[ibyoohoo]

Actually, if that's exactly the URL you went to, then you were just logging into MSN. That's an email address, not a URL, but if you treat it as a URL and give it to your web browser what will happen is that it will attempt to connect to msn.com--which is Microsoft--as the username "step55rm." MSN likely just ignores the username--most websites do--and since you were already authenticated for Hotmail it just logged you in automatically. You can test by going to msn.com (without the step55rm@) and see if you end up at exactly the same page, or trying the same thing with a random set of characters before the @ symbol, in case MSN does something different when it sees a username with the request.

Again, if that's the exact URL you went to, I can't see any way that it could have done anything untoward, since I don't see MSN hosting any malicious code on a user account. It actually sounds like someone just accidentally typed an email address as a URL.

Now, if it was another URL that just LOOKED like that to you (this would only be if you clicked a link, rather than typed the URL in yourself), then you could have fallen into what's called a cross-site-scripting attack, where a malicious site attempts to load a friendly site with some extra bit of code injected, that will in turn allow it to extract information/login info/whatever from the friendly site. There's a lot of security focus on preventing that, though, so I'm skeptical that's what was happening here.

Thank you for the reply. It was not a link so I just copied and pasted it into the web address. Strange thing is it was a Hotmail page I have never seen before. I have tried it from my PC at work and it says not a valid web address.
When I log in from my work PC it goes to the normal page. Only thing I can think of is that it did take me to a landing MSN page with me already logged in as you stated. I just have never seen that page before. It was loaded with content but had my hotmail info on it. I never go to MSN so that could be why it looked foreign.

I will try it again when I get home to my mac.

Thanks again for the help!!

 

[Makosuke]

It was loaded with content but had my hotmail info on it. I never go to MSN so that could be why it looked foreign.

Almost guaranteed this is why it didn't look familiar; presumably MSN's customization login uses the same authentication system as Hotmail, so it automatically logged you in there. Google's wide range of services are exactly the same--if I'm logged into gmail, the Google search homepage recognizes me, as does Google Voice and a bunch of other services, including ones I never use.

I should add that while this may or may not have been a fake ad based on the other info, it's entirely possible that this is a real email address, and you'd get a response if you sent something to it.