Re: Serious Security Hole in Hotmail

[jeffm () IGLOU COM (Jeff Mcadams)]

Thus spake Tom Cervenka

> We have just found a serious security hole in Microsoft's Hotmail
> service (http://www.hotmail.com) which allows malicious users to easily
> steal the passwords of Hotmail users. The exploit involves sending an
> e-mail message that contains embedded javascript code. When a Hotmail
> user views the message, the javascript code forces the user to re-login
> to Hotmail. In doing so, the victim's username and password is sent to
> the malicious user by e-mail. (see
> http://www.because-we-can.com/hotmail/default.htm for demo)

This is a variation on the Spartan Horse announced by Dan Gregorie over
a week ago, and covered on news.com on the 14th.  The Spartan Horse is
available for viewing at:
http://www.thetopoftheworld.com
The news.com articles, is at:
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d

The variation is that the Spartan Horse, as design on the
www.thetopoftheworld.com site mimicks the Windows95/98
Dial-Up-Networking dialog box.

This wasn't originally sent to BUGTRAQ because it doesn't exploit a
specific flaw in programming code in any software, like this "Hot"Mail
exploit.  Perhaps that was an oversight on Dan's and my fault, but I
did want to set the record straight on the origination of this idea for
Dan's sake.
--
Jeff McAdams                            Email: jeffm () iglou com
Head Network Administrator              Voice: (502) 966-3848
IgLou Internet Services                        (800) 436-4456