Bugtraq mailing list archives
Re: Serious Security Hole in Hotmail
From: jeffm () IGLOU COM (Jeff Mcadams)
Date: Tue, 25 Aug 1998 07:38:14 -0400
Thus spake Tom Cervenka
We have just found a serious security hole in Microsoft's Hotmail service (http://www.hotmail.com) which allows malicious users to easily steal the passwords of Hotmail users. The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim's username and password is sent to the malicious user by e-mail. (see http://www.because-we-can.com/hotmail/default.htm for demo)
This is a variation on the Spartan Horse announced by Dan Gregorie over a week ago, and covered on news.com on the 14th. The Spartan Horse is available for viewing at: http://www.thetopoftheworld.com The news.com articles, is at: http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d The variation is that the Spartan Horse, as design on the www.thetopoftheworld.com site mimicks the Windows95/98 Dial-Up-Networking dialog box. This wasn't originally sent to BUGTRAQ because it doesn't exploit a specific flaw in programming code in any software, like this "Hot"Mail exploit. Perhaps that was an oversight on Dan's and my fault, but I did want to set the record straight on the origination of this idea for Dan's sake. -- Jeff McAdams Email: jeffm () iglou com Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services (800) 436-4456
Current thread:
- Serious Security Hole in Hotmail Tom Cervenka (Aug 24)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)
- Re: Serious Security Hole in Hotmail Jonathan A. Zdziarski - Systems Administrator (Aug 25)
- Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
- Re: Webmail.bellsouth.net security problems Marc Slemko (Aug 25)
- Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
- Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)