[ISN] New Hotmail Hack Evades Filters

From: InfoSec News (isnat_private)
Date: Mon Sep 10 2001 - 23:10:20 PDT

  • Next message: InfoSec News: "[ISN] Islands in the Clickstream. The Only Thing We Have to Fear. Sept 11, 2001"

    By Brian McWilliams, Newsbytes
    10 Sep 2001, 4:19 PM CST
    A new technique for attacking MSN Hotmail users has been discovered,
    the latest in a cat-and-mouse game between Microsoft [NASDAQ:MSFT] and
    Javascript security holes.
    By adding Javascript to the "From" line of a message sent to a Hotmail
    user, an attacker can evade the filters Microsoft has put in place to
    protect the millions who rely on MSN's popular Web-based e-mail
    service, Newsbytes has confirmed.
    Microsoft representatives said the company was investigating the new
    attack and declined further comment.
    The technique, announced today on a security mailing list, doesn't
    even require that the victim open the booby-trapped message.
    According to a posting from Bart van Arnhem, a resident of the
    Netherlands using the nickname "Oblivion," Hotmail takes the From
    address on an incoming message and builds it into the HTML code for
    displaying the Hotmail user's Inbox.
    As a result, simply viewing the service's Inbox page will cause the
    hostile Javascript to execute.
    In an e-mail interview with Newsbytes, van Arnhem said that while
    Hotmail allows any data to be inserted in the "From" line of incoming
    messages, the service appears to be filtering Javascript from the
    "Subject" line.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 02:21:11 PDT