Thus spake Tom Cervenka >We have just found a serious security hole in Microsoft's Hotmail >service (http://www.hotmail.com) which allows malicious users to easily >steal the passwords of Hotmail users. The exploit involves sending an >e-mail message that contains embedded javascript code. When a Hotmail >user views the message, the javascript code forces the user to re-login >to Hotmail. In doing so, the victim's username and password is sent to >the malicious user by e-mail. (see >http://www.because-we-can.com/hotmail/default.htm for demo) This is a variation on the Spartan Horse announced by Dan Gregorie over a week ago, and covered on news.com on the 14th. The Spartan Horse is available for viewing at: http://www.thetopoftheworld.com The news.com articles, is at: http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d The variation is that the Spartan Horse, as design on the www.thetopoftheworld.com site mimicks the Windows95/98 Dial-Up-Networking dialog box. This wasn't originally sent to BUGTRAQ because it doesn't exploit a specific flaw in programming code in any software, like this "Hot"Mail exploit. Perhaps that was an oversight on Dan's and my fault, but I did want to set the record straight on the origination of this idea for Dan's sake. -- Jeff McAdams Email: jeffmat_private Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services (800) 436-4456
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:26 PDT