Image Tags Hide New Hotmail Security Attack

Source: Security News Portal - SNPortal

Users of Microsoft's Hotmail service are vulnerable to a new twist on an old trick for hiding potentially malicious scripts in the HTML code of e-mail messages, a security enthusiast has discovered.

Borrowing a technique published last year, Bart van Arnhem, who uses the hacker nickname "Oblivion," found that Hotmail's filters can be dodged by embedding Javascript code within specially crafted image tags.....

Image Tags Hide New Hotmail Security Attack

By Brian McWilliams, Newsbytes

According to van Arnhem, a resident of the Netherlands, the technique could, for example, be used by attackers to redirect users to a fake Hotmail site and trick them into re-entering their password.

In a harmless demonstration for Newsbytes, van Arnhem sent a test message that, when viewed, used Javascript to pop up a message box displaying the recipient's Hotmail personal profile. The data could have easily been directed to another address, according to van Arnhem.

A Microsoft representative said the company was studying the security report and had no immediate comment.

To protect users of its Web-based e-mail service, Microsoft has been attempting to filter Javascript, a simple Web scripting language, from messages since 1998.

Van Arnhem's technique relies on an image-tag filtering bug discovered in January 2000 in Hotmail by Bulgarian security consultant Georgi Guninski.

Click here to continue reading this article at NewsBytes.com.