New Hotmail hole discovered
From
"Robert Kemp" <sensuant@hotmail.com>
Date
Wed, 15 Sep 1999 14:31:36 EDT
[: hacktivism :]
from http://www.zdnet.com
New Hotmail hole discovered
Javascript can be used to jimmy open Hotmail accounts, bugfinder says. 'This
is not a security issue,' Microsoft says.
By Steven J. Vaughan-Nichols, Sm@rt Reseller September 13, 1999 3:50 PM PT
Just what the world didn't need: Another way to crack open Microsoft's
beleaguered free, Web-based e-mail system, Hotmail. But, that's exactly what
noted Bulgarian bugfinder Georgi Guninski claims to have found.
Guninski, who has made a name for himself by finding security violations in
browsers, has found that Hotmail enables Web-paged embedded Javascript code
to run automatically
This makes it possible for someone to write Web programs that could do
anything from steal passwords to read others' mail. While it's long been
known that active Web applets, whether written in ActiveX or Java, have the
potential to pry open systems from the inside, this is the first case in
which someone has shown that Hotmail is vulnerable to such attacks.
Not just a theoretical hole:
Is this a purely theoretical hole or one that can only be used by crackers
to attack users? The answer, unfortunately, is the latter: Correctly written
JavaScript programs can, at the least, raid users' inboxes.
Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem.
"This is not a Hotmail security issue. We see it as an example of people
encouraging users to run malicious code on the Web," a Microsoft
spokesperson said.
"To protect yourself now, you can disable JavaScript, just disable it before
using Hotmail, or do not open mail from unknown people when you think it
might contain JavaScript," the spokesperson added. "Microsoft is
investigating ways for Hotmail users to have greater security against
threats posed by malicious use of JavaScript in e-mail."
The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML
tag "STYLE." Java programmers and Webweavers use STYLE to insert JavaScript
into HTML pages. The solution is to force Hotmail to handle STYLE in the
same way it does ordinary JavaScript -- disabling it on arrival.
Timing couldn't be worse:
The fix may be simple, but the timing for Microsoft could not be worse. The
latest Hotmail security breach follows by weeks a major Hotmail security
meltdown. It took Microsoft hours to fix the problem, but millions of user
accounts were left unprotected in the interim. Since that initial breach,
the company has brought in TrustE and another auditing firm to help it head
off future Hotmail security breaches.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In accordance with Title 17 U.S.C. section 107, this
material is distributed without charge or profit to those
who have expressed a prior interest in receiving this type
of information for non-profit research and educational
purposes only.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http://www.angelfire.com/mi/smilinks/thirdeye.html
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]