Yet another Hotmail security hole - injecting JavaScript in IE

From: Georgi Guninski (joroat_private)
Date: Tue Jan 04 2000 - 06:22:37 PST

Next message: Bill Ralph: "SHADOW and Y2K Problems"

Previous message: Dale Clark: "Re: majordomo local exploit"
Next in thread: Georgi Guninski: "Yet another Hotmail security hole - injecting JavaScript in IE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Georgi Guninski security advisory #2, 2000

Yet another Hotmail security hole - injecting JavaScript in IE using
<IMG DYNRC="javascript:....">

Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.

Description:
Hotmail allows executing JavaScript code in email messages using <IMG
DYNSRC="javascript:....">,
which may compromise user's Hotmail mailbox when viewed with Internet
Explorer.

Details:
There is a security flaw in Hotmail which allows injecting and executing
JavaScript code in an email message using the javascript protocol.
This exploit works on Internet Explorer.
Hotmail filters the "javascript:" protocol for security reasons.
But the following JavaScript is executed: <IMG
DYNSRC="javascript:alert('Javascript is executed')"> if the user has
enabled automatically loading of images (most users have).

Executing JavaScript when the user opens Hotmail email message allows
for example
displaying a fake login screen where the user enters his password which
is then stolen.
I don't want to make a scary demonstration, but it is also possible to
read user's
messages, to send messages from user's name and doing other mischief.
It is also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.


Workaround: Disable Active Scripting

The code that must be included in HTML email message is:
--------------------------------------------------------
<IMG DYNSRC="javascript:alert('Javascript is executed')">
--------------------------------------------------------

Regards,
Georgi Guninski
http://www.nat.bg/~joro

Next message: Bill Ralph: "SHADOW and Y2K Problems"
Previous message: Dale Clark: "Re: majordomo local exploit"
Next in thread: Georgi Guninski: "Yet another Hotmail security hole - injecting JavaScript in IE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:51 PDT