it appears that hotmail put a fix in this by s/<script>/<comment>/ or some variation, when you view a message. On Tue, 25 Aug 1998, Jeff Mcadams wrote: > Thus spake Tom Cervenka > > >We have just found a serious security hole in Microsoft's Hotmail > >service (http://www.hotmail.com) which allows malicious users to easily > >steal the passwords of Hotmail users. The exploit involves sending an > >e-mail message that contains embedded javascript code. When a Hotmail > >user views the message, the javascript code forces the user to re-login > >to Hotmail. In doing so, the victim's username and password is sent to > >the malicious user by e-mail. (see > >http://www.because-we-can.com/hotmail/default.htm for demo) > > This is a variation on the Spartan Horse announced by Dan Gregorie over > a week ago, and covered on news.com on the 14th. The Spartan Horse is > available for viewing at: > http://www.thetopoftheworld.com > The news.com articles, is at: > http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d > > The variation is that the Spartan Horse, as design on the > www.thetopoftheworld.com site mimicks the Windows95/98 > Dial-Up-Networking dialog box. > > This wasn't originally sent to BUGTRAQ because it doesn't exploit a > specific flaw in programming code in any software, like this "Hot"Mail > exploit. Perhaps that was an oversight on Dan's and my fault, but I > did want to set the record straight on the origination of this idea for > Dan's sake. > -- > Jeff McAdams Email: jeffmat_private > Head Network Administrator Voice: (502) 966-3848 > IgLou Internet Services (800) 436-4456 > Thank you, Jonathan A. Zdziarski Senior Systems Administrator Netrail, Inc. 888.NET.RAIL x242
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:28 PDT