TUCoPS :: Web :: Specific Sites :: hotmail5.htm

Hotmail - injecting Javascript





    Georgi  Guninski  found   following.   Hotmail  allows   executing
    JavaScript code in email messages using

        <IMG LOWSRC="javascript:....">

    which may compromise user's Hotmail mailbox.

    There is a major security  flaw in Hotmail which allows  injecting
    and  executing  JavaScript  code  in  an  email  message using the
    javascript protocol.  This exploit works both on Internet Explorer
    5.x (almost sure IE 4.x)  and Netscape Communicator 4.x.   Hotmail
    filters the "javascript:" protocol for security reasons.  But  the
    following JavaScript is executed:

        <IMG LOWSRC="javascript:alert('Javascript is executed')">

    if  the  user  has  enabled  automatically loading of images (most
    users have).

    Executing JavaScript  when the  user opens  Hotmail email  message
    allows for example displaying a  fake login screen where the  user
    enters his password which is then stolen.  No need to make a scary
    demonstration, but it is also possible to read user's messages, to
    send messages from  user's name and  doing other mischief.   It is
    also possible to get the cookie from Hotmail, which is  dangerous.
    Hotmail deliberately  escapes all  JavaScript (it  can escape)  to
    prevent such attacks, but obviously  there are holes.  It  is much
    easier to  exploit this  vulnerability if  the user  uses Internet
    Explorer 5.x

    The code that must be included in HTML email message is:

        <IMG LOWSRC="javascript:alert('Javascript is executed')">

    A  quick  check  of  the  Messenger  Express web client built into
    Netscape  Messaging  Server  4.1  at  one  of  my  sites  seems to
    indicate that  it may  be vulnerable  as well,  as the  code above
    works fine  so long  as the  browser has  JS enabled.  However, it
    doesn't use cookies much if at all, so the cookie capture risk  is
    lower  though  it  seems  plausible  that  the  social engineering
    attacks remain a threat.

    Edwin Gonzalez tested the code and it seems that Yahoo's web-based
    email is also vulnerable.


    Microsoft developed a fix that eliminates this vulnerability,  and
    have deployed it to all Hotmail servers.  Workaround: disable JS.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH