New Hotmail Hack Evades Filters
A new technique for attacking MSN Hotmail users has been discovered, the latest in a cat-and-mouse game between Microsoft [NASDAQ:MSFT] and Javascript security holes.
By adding Javascript to the "From" line of a message sent to a Hotmail user, an attacker can evade the filters Microsoft has put in place to protect the millions who rely on MSN's popular Web-based e-mail service, Newsbytes has confirmed.
Microsoft representatives said the company was investigating the new attack and declined further comment.
The technique, announced today on a security mailing list, doesn't even require that the victim open the booby-trapped message.
According to a posting from Bart van Arnhem, a resident of the
Netherlands using the nickname "Oblivion," Hotmail takes the “From”
address on an incoming message and builds it into the HTML code for
displaying the Hotmail user's Inbox.
As a result, simply viewing the service's Inbox page will cause the
hostile Javascript to execute.
In an e-mail interview with Newsbytes, van Arnhem said that while
Hotmail allows any data to be inserted in the "From" line of
incoming messages, the service appears to be filtering Javascript
from the "Subject" line.
According to Elias Levy, chief technology officer for SecurityFocus,
the vulnerability could allow an attacker to write a Javascript
program that steals a Hotmail user's login credentials, thus giving
the attacker the ability to read, delete, and send mail as the user.
The demonstration posted by van Arnhem showed how the technique can
be used to pop up a message box when the Hotmail recipient views his
or her inbox. Van Arnhem also provided information on automatically
redirecting the recipient's browser to a specified Internet address,
as well as information on causing the Hotmail user's browser to run a
program on a remote server.
Javascript is a scripting language developed by Netscape
Communications which is used by many Web page designers to perform
simple interactive tasks.
Microsoft's Web-based e-mail service has battled numerous
Javascript-related security problems over the years. In 1998, MSN
began filtering out any scripts buried in the body of e-mail
addressed to Hotmail users. But after the company closed off that
scripting avenue, wiley hackers discovered new ways to evade the
filters, most recently by embedding Javascript in file attachments,
and by hiding the code in the message's HTML "style" tags and
"image" tags.
Van Arnhelm said he discovered the new attack after reading a
desciption by Bulgarian security consultant Georgi Guninski of how
to inject Javascript into Hotmail messages using IMG tags.
Although popular e-mail programs such as Microsoft's Outlook,
Netscape's Messenger, and Qualcomm's Eudora can display messages in
HTML format and are also vulnerable to messages containing embedded
Javascript, most stand-alone e-mail clients allow users to block
executable content in HTML messages.
Ironically, while Messenger and Eudora enable users to craft their
own “From” addresses, Hotmail apparently parses the “From” field in
messages sent from the service and does not allow Javascript to be
embedded as the sender's address.
The report on evading Hotmail's Javascript filters is here:
http://www.securityfocus.com/archive/82/213236 .
MSN Hotmail is online at http://www.hotmail.com .
Reported by Newsbytes, http://www.newsbytes.com .
