from: http://www.wired.com/news/technology/0,1282,36241,00.html Click Here: <A HREF="http://www.wired.com/news/technology/0,1282,36241,00.html">Hotmail Email Exposed</A> ----- Hole Exposes Hotmail Email by Declan McCullagh 3:00 a.m. May. 10, 2000 PDT A new security hole in Microsoft's Hotmail service allows enterprising snoops to browse your email messages without a password. If a Hotmail user clicks on an attachment that contains a Javascript Trojan horse, an attacker can read, send, and delete messages from that person's account. "Anyone could use this trick to gain access to another person's Hotmail account temporarily and read their messages," says Bennett Haselton, a programmer who lives in Bellevue, Washington and discovered the bug. Wired News verified the exploit, but Microsoft said it did not have an immediate response. "We always research potential issues and if indeed there is a problem, we work on an immediate fix for best customer end result," said Microsoft spokeswoman Jessica Schaefer. Hotmail, which claims to be the world's largest provider of Web-based email, has encountered other security glitches in the past. Last summer one problem e xposed the personal email accounts of over 50 million users to prying eyes. The attack works when a Hotmail user clicks on an HTML attachment with an embedded Trojan horse. The attachment intercepts Hotmail.com's cookies -- which include a session key called MSPAUTH -- and forwards them to the attacker's computer. With the MSPAUTH key, an intruder can obtain complete access to a Hotmail account, which also could include finding POP email account passwords stored with Hotmail. "It took about two hours to get it all working," says Haselton, an anti-blocki ng software activist who has unearthed five security glitches in browser and email software in the last two weeks. Haselton said users are accustomed to being able to click on links in their Web browsers without ill effect. "There's no way to notify all Hotmail users that they should be aware of the dangers of clicking on an HTML attachment. It won't work," he said. "Experienced users will just ignore that. Viewing a remote HTML file should not be at all dangerous." Microsoft said its development team is looking into the problem. Microsoft encountered further criticism last week, when Unix and Macintosh users applauded the fact that they were immune from the Love Bug worm. Copyright � 2000 Wired Digital Inc., a Lycos Network site. All rights reserved. <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, misdirections and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html <A HREF="http://home.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
