THE "HOT"MAIL EXPLOIT AND HOW TO PROTECT YOURSELF
by Because-we-can.com
This document describes a serious security problem we discovered with
Microsoft's Hotmail Service which allows malicious users to easily
steal the passwords of Hotmail users. The exploit involves
sending e-mail messages that contains javascript code as part of
the message. When a Hotmail user views the message, the
embedded javascript code forces the user to re-login to Hotmail.
In doing so, the victim's username, password, and ip address is sent to the malicious user by
e-mail.
Once a malicious user knows the password to the victim's Hotmail account, she can assume full
control of the account, including the ability to:
delete, send, and read the victim's e-mail
check mail on other mail servers that the victim has configured for mail-checking
access the victim's address book
discover other passwords sent as confirmation of registration in old e-mails
change the password of the Hotmail account
The security problem is easy to take advantage of. A would-be hacker needs only to embed the
javascript code into the body of an e-mail message using a standard e-mail program such as
Netscape Mail (free). In a working demonstration of this exploit, we show that even users without
their own internet service provider (ISP) can steal an arbitrary number of Hotmail passwords by
using a free Geocities account.
We believe the "Hot"mail exploit to be a serious security concern for the following reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and freely available.
3.The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes,
or classroom terminals
4.The exploit will work with any javascript-enabled browser, including the Microsoft Internet
Explorer and Netscape Communicator.
Because-we-can.com has notified both Microsoft and Hotmail that a security problem exists. We
are making the following detailed information about the "Hot"Mail exploit publicly available to
speed the process of fixing the security hole. In general, we believe that when the public is aware
of serious security problems, expedient measures are taken to solve those problems. Learn how
to protect yourself from "Hot"Mail in the short term by clicking on "How to protect yourself".
HOW THE "HOT"MAIL EXPLOIT WORKS
Why does the "Hot"Mail exploit work? The security problem lies in Microsoft's Hotmail service
itself. Hotmail makes no attempt to filter Javascript code from email messages, allowing malicious
users to embed arbitrary javascript programs into their e-mail messages. Javascript programs do
not normally constitute a security problem when they are used in personal web-pages. However,
when javascript code is embedded into a Hotmail message, it can alter the properties of the
Hotmail user-interface itself.
In the case of the exploits we describe, the javascript alters the properties of every link in the
Hotmail interface that the user could click on. The links are altered so that when the user clicks on
them, an (bogus) Hotmail message is displayed, informing the user that they have timed-out of
their Hotmail session and must log-in again to continue. The (bogus) time-out page also gives the
user some text-entry fields where they can type in their username and password to re-login.
However, when the user types in their username and password, the information is sent back to the
malicious user.
In the exploits we describe, the part of the program that does the actual "dirty-work" of mailing the
password and username is provided by Geocities as a (free) service to all their members. This
should not be viewed as an oversight or problem with Geocities, since there are thousands of
equivalent server-side mailing programs that we could have used in it's place.
The "Hot"Mail exploit is just one of many potentially damaging javascript programs that could be
embedded into mail messages. Since javascript code in email messages can run as soon as the
message is viewed, and can alter virtually any aspect of the user interface, we urge Hotmail to
implement a javascript filter.
HOW TO PROTECT YOURSELF FROM "HOT"MAIL
Until Hotmail fixes the security problem, we suggest that Hotmail users turn off javascript in their
browsers. Even users familiar with our version of the exploit may be vulnerable to other javascript
programs embedded in Hotmail messages.
Netscape users can turn javascript off in their preferences (edit / preferences / advanced / disable
javascript).
Microsoft Internet Explorer users can turn jscript off in their preferences (view / internet options /
security / custom settings / scripting / disable active scripting).
This demonstrates how we used the "Hot"Mail exploit
with minimal resources to steal passwords from Hotmail users. Our goal was to show that using only the items listed below, we could steal a victim's Hotmail password and remain anonymous.
INGREDIENTS:
1 Computer with Internet Access
1 Netscape Mail (or equivalent e-mail program)
1 Notepad (or equivalent text editor)
STEP 1:We visited hotmail.com and registered for a free e-mail account. We did not have
to enter valid contact information during the registration process.
STEP 2:
We visited Geocities.com and registered for a free
homepage. We chose the username ybwc. We did not have to enter valid contact information during the registration process,
except for an e-mail address. We used the e-mail address from step 1. As part of our
registration, we were given a new free email account from Geocities (ybwc@geocities.com).
STEP 3:
We opened our notepad and typed in the following text, which
we then saved as message.htm. Line 17 contains our Geocities username (ybwc), from step 2.
"Go where you want today" - Blue Adept
STEP 4: We composed a new e-mail message to our (example) victim,
victim@hotmail.com. We inserted the file message.htm into the e-mail
message and then sent it.
STEP 5: We waited for our victim to check his Hotmail account. Shortly
after he viewed our message, we checked our Geocities email. We
received an e-mail message from Geocities that listed the ip address,
username, and password of the Hotmail user victim@hotmail.com
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
