Serious Security Hole in Hotmail

From: Tom Cervenka (tomcat_private)
Date: Mon Aug 24 1998 - 13:21:56 PDT

Next message: Marc Slemko: "Solaris ab2 web server is junk"

Previous message: Alex Mottram: "Security concerns in linuxconf shipped w/RedHat 5.1"
Next in thread: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"
Reply: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"
Reply: Jonathan A. Zdziarski - Systems Administrator: "Re: Serious Security Hole in Hotmail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We have just found a serious security hole in Microsoft's Hotmail
service (http://www.hotmail.com) which allows malicious users to easily
steal the passwords of Hotmail users. The exploit involves sending an
e-mail message that contains embedded javascript code. When a Hotmail
user views the message, the javascript code forces the user to re-login
to Hotmail. In doing so, the victim's username and password is sent to
the malicious user by e-mail. (see
http://www.because-we-can.com/hotmail/default.htm for demo)

 Once a malicious user knows the password to the victim's Hotmail
account, he can assume full control of the account, including the
ability to:

          - delete, send, and read the victim's e-mail
          - check mail on other mail servers that the victim has
configured for mail-checking
          - access the victim's address book
          - discover other passwords sent as confirmation of
registration in old e-mails
          - change the password of the Hotmail account

The security problem is dangerously easy to take advantage of. A
would-be hacker needs only to embed the javascript code into the body of
an e-mail message using a standard e-mail program such as Netscape Mail
(free). In a working demonstration and full description of this exploit
at http://www.because-we-can.com/hotmail/default.htm, it is shown that
even users without their own internet service provider (ISP) can steal
an arbitrary number of Hotmail passwords by using a free Geocities
account.

The "Hot"mail exploit is a serious security concern for the following
reasons:

        1.The malicious code runs as soon as e-mail message is viewed
        2.The resources required to launch the attack are minnimal and
freely available.
        3.The malicious e-mail can be sent from virtually anywhere,
including libraries,
          internet cafes, or classroom terminals
        4.The exploit will work with any javascript-enabled browser,
including the Microsoft
          Internet Explorer and Netscape Communicator.

 Both Microsoft and Hotmail have been notified that a security problem
exists. The following information about the "Hot"Mail exploit is being
made publicly available to speed the process of fixing the security hole
and inform users  how they can protect themselves. This information is
also being released in the belief that when the public is aware of
serious security problems, expedient measures are taken by software
manufacturers to solve those problems.

Next message: Marc Slemko: "Solaris ab2 web server is junk"
Previous message: Alex Mottram: "Security concerns in linuxconf shipped w/RedHat 5.1"
Next in thread: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"
Reply: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"
Reply: Jonathan A. Zdziarski - Systems Administrator: "Re: Serious Security Hole in Hotmail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:24 PDT