Users login

Create an account »


Users login

Home » Hacking News » Hotmail hacking, easy as falling off a log.

Hotmail hacking, easy as falling off a log.

by Nikola Strahija on September 11th, 2001 A new technique for attacking MSN Hotmail users has been discovered, the latest in a cat-and-mouse game between Microsoft and Javascript security holes.

By adding Javascript to the "From" line of a message sent to a Hotmail user, an attacker can evade the filters Microsoft has put in place to protect the millions who rely on MSN's popular Web-based e-mail service, Newsbytes has confirmed.

Microsoft representatives said the company was investigating the new attack and declined further comment.

The technique, announced today on a security mailing list, doesn't even require that the victim open the booby-trapped message.
According to a posting from Bart van Arnhem, a resident of the Netherlands using the nickname "Oblivion", Hotmail takes the "From" address on an incoming message and builds it into the HTML code for displaying the Hotmail user's Inbox.

As a result, simply viewing the service's Inbox page will cause the hostile Javascript to execute.

In an e-mail interview with Newsbytes, van Arnhem said that while Hotmail allows any data to be inserted in the "From" line of incoming messages, the service appears to be filtering Javascript from the "Subject" line.

According to Elias Levy, chief technology officer for SecurityFocus, the vulnerability could allow an attacker to write a Javascript program that steals a Hotmail user's login credentials, thus giving the attacker the ability to read, delete, and send mail as the user.

The demonstration posted by van Arnhem showed how the technique can be used to pop up a message box when the Hotmail recipient views his or her inbox. Van Arnhem also provided information on automatically redirecting the recipient's browser to a specified Internet address, as well as information on causing the Hotmail user's browser to run a program on a remote server.

Javascript is a scripting language developed by Netscape Communications which is used by many Web page designers to perform simple interactive tasks.

Microsoft's Web-based e-mail service has battled numerous Javascript-related security problems over the years. In 1998, MSN began filtering out any scripts buried in the body of e-mail addressed to Hotmail users. But after the company closed off that scripting avenue, wiley hackers discovered new ways to evade the filters, most recently by embedding Javascript in file attachments, and by hiding the code in the message's HTML "style" tags and "image" tags.

Van Arnhelm said he discovered the new attack after reading a desciption by Bulgarian security consultant Georgi Guninski of how to inject Javascript into Hotmail messages using IMG tags.

Although popular e-mail programs such as Microsoft's Outlook, Netscape's Messenger, and Qualcomm's Eudora can display messages in HTML format and are also vulnerable to messages containing embedded Javascript, most stand-alone e-mail clients allow users to block executable content in HTML messages.

Ironically, while Messenger and Eudora enable users to craft their own "From" addresses, Hotmail apparently parses the "From" field in messages sent from the service and does not allow Javascript to be embedded as the sender's address.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »