From: Tom Cervenka <[EMAIL PROTECTED]> Date: Mon, 24 Aug 1998 14:21:56 -0600 To: [EMAIL PROTECTED] Tom Cervenka wrote: > We have just found a serious security hole in Microsoft's Hotmail > service (http://www.hotmail.com) which allows malicious users to easily > steal the passwords of Hotmail users. The exploit involves sending an > e-mail message that contains embedded javascript code. When a Hotmail > user views the message, the javascript code forces the user to re-login > to Hotmail. In doing so, the victim's username and password is sent to > the malicious user by e-mail. (see > http://www.because-we-can.com/hotmail/default.htm for demo) > > Once a malicious user knows the password to the victim's Hotmail > account, he can assume full control of the account, including the > ability to: > > - delete, send, and read the victim's e-mail > - check mail on other mail servers that the victim has > configured for mail-checking > - access the victim's address book > - discover other passwords sent as confirmation of > registration in old e-mails > - change the password of the Hotmail account > > The security problem is dangerously easy to take advantage of. A > would-be hacker needs only to embed the javascript code into the body of > an e-mail message using a standard e-mail program such as Netscape Mail > (free). In a working demonstration and full description of this exploit > at http://www.because-we-can.com/hotmail/default.htm, it is shown that > even users without their own internet service provider (ISP) can steal > an arbitrary number of Hotmail passwords by using a free Geocities > account. > > The "Hot"mail exploit is a serious security concern for the following > reasons: > > 1.The malicious code runs as soon as e-mail message is viewed > 2.The resources required to launch the attack are minnimal and > freely available. > 3.The malicious e-mail can be sent from virtually anywhere, > including libraries, > internet cafes, or classroom terminals > 4.The exploit will work with any javascript-enabled browser, > including the Microsoft > Internet Explorer and Netscape Communicator. > > Both Microsoft and Hotmail have been notified that a security problem > exists. The following information about the "Hot"Mail exploit is being > made publicly available to speed the process of fixing the security hole > and inform users how they can protect themselves. This information is > also being released in the belief that when the public is aware of > serious security problems, expedient measures are taken by software > manufacturers to solve those problems. -- Ronny Haryanto @ http://come.to/ronny -- /usr/bin/fortune says: "If your parents had no children, chances are, you won't either." ---------------------------------------------------------------------- Unsubscribe: [EMAIL PROTECTED] Archive: http://www.vlsm.org/linux-archive/ Linux CD: [EMAIL PROTECTED]
