Bugtraq mailing list archives
Serious Security Hole in Hotmail
From: tomc () SPECIALTY AB CA (Tom Cervenka)
Date: Mon, 24 Aug 1998 14:21:56 -0600
We have just found a serious security hole in Microsoft's Hotmail service (http://www.hotmail.com) which allows malicious users to easily steal the passwords of Hotmail users. The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim's username and password is sent to the malicious user by e-mail. (see http://www.because-we-can.com/hotmail/default.htm for demo) Once a malicious user knows the password to the victim's Hotmail account, he can assume full control of the account, including the ability to: - delete, send, and read the victim's e-mail - check mail on other mail servers that the victim has configured for mail-checking - access the victim's address book - discover other passwords sent as confirmation of registration in old e-mails - change the password of the Hotmail account The security problem is dangerously easy to take advantage of. A would-be hacker needs only to embed the javascript code into the body of an e-mail message using a standard e-mail program such as Netscape Mail (free). In a working demonstration and full description of this exploit at http://www.because-we-can.com/hotmail/default.htm, it is shown that even users without their own internet service provider (ISP) can steal an arbitrary number of Hotmail passwords by using a free Geocities account. The "Hot"mail exploit is a serious security concern for the following reasons: 1.The malicious code runs as soon as e-mail message is viewed 2.The resources required to launch the attack are minnimal and freely available. 3.The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals 4.The exploit will work with any javascript-enabled browser, including the Microsoft Internet Explorer and Netscape Communicator. Both Microsoft and Hotmail have been notified that a security problem exists. The following information about the "Hot"Mail exploit is being made publicly available to speed the process of fixing the security hole and inform users how they can protect themselves. This information is also being released in the belief that when the public is aware of serious security problems, expedient measures are taken by software manufacturers to solve those problems.
Current thread:
- Serious Security Hole in Hotmail Tom Cervenka (Aug 24)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)
- Re: Serious Security Hole in Hotmail Jonathan A. Zdziarski - Systems Administrator (Aug 25)
- Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
- Re: Webmail.bellsouth.net security problems Marc Slemko (Aug 25)
- Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
- Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)