Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Serious Security Hole in Hotmail

Re: Serious Security Hole in Hotmail

Jonathan A. Zdziarski - Systems Administrator (jonzCARTMAN.NETRAIL.NET)
Tue, 25 Aug 1998 16:31:47 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Leonid S. Knyshov: "Webmail.bellsouth.net security problems"
Previous message: Jonathan James: "SV: Serious Security Hole in Hotmail"
In reply to: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"

it appears that hotmail put a fix in this by s/<script>/<comment>/ or
some variation, when you view a message.

On Tue, 25 Aug 1998, Jeff Mcadams wrote:

> Thus spake Tom Cervenka
>
> >We have just found a serious security hole in Microsoft's Hotmail
> >service (http://www.hotmail.com) which allows malicious users to easily
> >steal the passwords of Hotmail users. The exploit involves sending an
> >e-mail message that contains embedded javascript code. When a Hotmail
> >user views the message, the javascript code forces the user to re-login
> >to Hotmail. In doing so, the victim's username and password is sent to
> >the malicious user by e-mail. (see
> >http://www.because-we-can.com/hotmail/default.htm for demo)
>
> This is a variation on the Spartan Horse announced by Dan Gregorie over
> a week ago, and covered on news.com on the 14th.  The Spartan Horse is
> available for viewing at:
> http://www.thetopoftheworld.com
> The news.com articles, is at:
> http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
>
> The variation is that the Spartan Horse, as design on the
> www.thetopoftheworld.com site mimicks the Windows95/98
> Dial-Up-Networking dialog box.
>
> This wasn't originally sent to BUGTRAQ because it doesn't exploit a
> specific flaw in programming code in any software, like this "Hot"Mail
> exploit.  Perhaps that was an oversight on Dan's and my fault, but I
> did want to set the record straight on the origination of this idea for
> Dan's sake.
> --
> Jeff McAdams                            Email: jeffmiglou.com
> Head Network Administrator              Voice: (502) 966-3848
> IgLou Internet Services                        (800) 436-4456
>

Thank you,

Jonathan A. Zdziarski
Senior Systems Administrator
Netrail, Inc.
888.NET.RAIL x242

Next message: Leonid S. Knyshov: "Webmail.bellsouth.net security problems"
Previous message: Jonathan James: "SV: Serious Security Hole in Hotmail"
In reply to: Jeff Mcadams: "Re: Serious Security Hole in Hotmail"