Users login

Create an account »


Users login

Home » Hacking News » Yet another hole in hotmail security

Yet another hole in hotmail security

by Majik on October 23rd, 2001 Users of Microsoft's Hotmail service are vulnerable to a new twist on an old trick for hiding potentially malicious scripts in the HTML code of e-mail messages, a security enthusiast has discovered.

Borrowing a technique published last year, Bart van Arnhem, who uses the hacker nickname "Oblivion," found that Hotmail's filters can be dodged by embedding Javascript code within specially crafted image tags.

According to van Arnhem, a resident of the Netherlands, the technique could, for example, be used by attackers to redirect users to a fake Hotmail site and trick them into re-entering their password.

In a harmless demonstration for Newsbytes, van Arnhem sent a test message that, when viewed, used Javascript to pop up a message box displaying the recipient's Hotmail personal profile. The data could have easily been directed to another address, according to van Arnhem.

A Microsoft representative said the company was studying the security report and had no immediate comment.

To protect users of its Web-based e-mail service, Microsoft has been attempting to filter Javascript, a simple Web scripting language, from messages since 1998.

Van Arnhem's technique relies on an image-tag filtering bug discovered in January 2000 in Hotmail by Bulgarian security consultant Georgi Guninski.

While that attack was subsequently blocked by Microsoft, van Arnhem said his technique is successful because he embeds two addresses to Javascript code using an HTML command called a "style attribute."

Hotmail only filters the first Javascript location, he said.

The attack could potentially work with any HTML tag that supports the "style" attribute and is not filtered out by Hotmail, according to van Arnhem, who posted information about his discovery Saturday on Vuln-Dev, a popular information security mailing list.

Image tags are ordinarily used by Web page designers to insert photos or other image files within Web pages. They are also automatically added to messages by some e-mail software when users compose a message containing a picture.

Last month, van Arnhem discovered that Hotmail's filters could be evaded by adding Javascript code to the "From" line of a message sent to a Hotmail user. Microsoft has since plugged that hole, he said.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »