COMMAND
Hotmail
SYSTEMS AFFECTED
Hotmail
PROBLEM
Georgi Guninski found following. Hotmail allows executing
JavaScript code in email messages using
<IMG LOWSRC="javascript:....">
which may compromise user's Hotmail mailbox.
There is a major security flaw in Hotmail which allows injecting
and executing JavaScript code in an email message using the
javascript protocol. This exploit works both on Internet Explorer
5.x (almost sure IE 4.x) and Netscape Communicator 4.x. Hotmail
filters the "javascript:" protocol for security reasons. But the
following JavaScript is executed:
<IMG LOWSRC="javascript:alert('Javascript is executed')">
if the user has enabled automatically loading of images (most
users have).
Executing JavaScript when the user opens Hotmail email message
allows for example displaying a fake login screen where the user
enters his password which is then stolen. No need to make a scary
demonstration, but it is also possible to read user's messages, to
send messages from user's name and doing other mischief. It is
also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to
prevent such attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses Internet
Explorer 5.x
The code that must be included in HTML email message is:
<IMG LOWSRC="javascript:alert('Javascript is executed')">
A quick check of the Messenger Express web client built into
Netscape Messaging Server 4.1 at one of my sites seems to
indicate that it may be vulnerable as well, as the code above
works fine so long as the browser has JS enabled. However, it
doesn't use cookies much if at all, so the cookie capture risk is
lower though it seems plausible that the social engineering
attacks remain a threat.
Edwin Gonzalez tested the code and it seems that Yahoo's web-based
email is also vulnerable.
SOLUTION
Microsoft developed a fix that eliminates this vulnerability, and
have deployed it to all Hotmail servers. Workaround: disable JS.