Wednesday May 10
New flaw discovered in MS Hotmail
By Margaret Kane, ZDNet News

A glitch in Hotmail could allow a hacker to tap into a user's account and read his or her e-mail.

A bug watcher has discovered a flaw in Hotmail that could allow a hacker to tap into a user's account and read his or her e-mail.

Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user’s cookie to the hacker.

Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here for a description of the trick.

Microsoft Corp., which owns the Hotmail service, could not immediately be reached for comment.

Not a 'trivial bug'
Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.

The trick uses JavaScript to send the cookie. Hotmail filters JavaScript in regular e-mail messages but doesn't filter JavaScript in HTML attachments.

"It's not a trivial bug that has to do with formatting; it's the essential nature of the software," Haselton said. "Hotmail is what all the big hunters set their sights on. Most of the free e-mail services can be broken into, and you find a new way to do it every three weeks or so. But it's really scary that hobbyists are the ones who are doing this."

Haselton has discovered several bugs in the past, including a security flaw in the Eudora e-mail program, and a Netscape exploit that allowed Webmasters to view users' bookmarks.

Back To The Study