Hotmail security hole - injecting JavaScript using <IMG

From: Georgi Guninski (joroat_private)
Date: Mon Jan 03 2000 - 05:34:13 PST

Next message: Marc Heuse: "compartment"

Previous message: Alfred Huger: "Re: Y2K bug in Shadow IDS (fwd)"
Next in thread: Kevin Hecht: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Kevin Hecht: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Norbert Luckhardt: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Edwin Gonzalez: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Henrik Nordstrom: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Metal Hurlant: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Metal Hurlant: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: ckat_private: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Grahame Bowland: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Dustin Miller: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Ajax: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Andrew Pimlott: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Eivind Eklund: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Ajax: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Georgi Guninski security advisory #1, 2000

Hotmail security hole - injecting JavaScript using <IMG
LOWSRC="javascript:....">

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or  indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
Hotmail allows executing JavaScript code in email messages using <IMG
LOWSRC="javascript:....">,
which may compromise user's Hotmail mailbox.

Details:
There is a major security flaw in Hotmail which allows injecting and
executing JavaScript code in an email message using the javascript
protocol. This exploit works both on Internet Explorer 5.x (almost sure
IE 4.x) and Netscape Communicator 4.x.
Hotmail filters the "javascript:" protocol for security reasons.
But the following JavaScript is executed: <IMG
LOWSRC="javascript:alert('Javascript is executed')"> if the user has
enabled automatically loading of images (most users have).

Executing JavaScript when the user opens Hotmail email message allows
for example displaying a fake login screen where the user enters his
password which is then stolen.
I don't want to make a scary demonstration, but it is also possible to
read user's messages, to send messages from user's name and doing other
mischief.
It is also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.
It is much easier to exploit this vulnerability if the user uses
Internet Explorer 5.x

Workaround: Disable JavaScript

The code that must be included in HTML email message is:
--------------------------------------------------------
<IMG LOWSRC="javascript:alert('Javascript is executed')">
--------------------------------------------------------

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Marc Heuse: "compartment"
Previous message: Alfred Huger: "Re: Y2K bug in Shadow IDS (fwd)"
Next in thread: Kevin Hecht: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Kevin Hecht: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Norbert Luckhardt: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Edwin Gonzalez: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Henrik Nordstrom: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Metal Hurlant: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Metal Hurlant: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: ckat_private: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Grahame Bowland: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Dustin Miller: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Ajax: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Andrew Pimlott: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Eivind Eklund: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Reply: Ajax: "Re: Hotmail security hole - injecting JavaScript using <IMG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:39 PDT