Date: Mon, 24 Aug 1998 14:21:56 -0600 From: Tom Cervenka Subject: Serious Security Hole in Hotmail We have just found a serious security hole in Microsoft's Hotmail service (http://www.hotmail.com) which allows malicious users to easily steal the passwords of Hotmail users. The exploit involves sending an e-mail message that contains embedded javascript code. When a Hotmail user views the message, the javascript code forces the user to re-login to Hotmail. In doing so, the victim's username and password is sent to the malicious user by e-mail. (see http://www.because-we-can.com/hotmail/default.htm for demo) Once a malicious user knows the password to the victim's Hotmail account, he can assume full control of the account, including the ability to: - delete, send, and read the victim's e-mail - check mail on other mail servers that the victim has configured for mail-checking - access the victim's address book - discover other passwords sent as confirmation of registration in old e-mails - change the password of the Hotmail account The security problem is dangerously easy to take advantage of. A would-be hacker needs only to embed the javascript code into the body of an e-mail message using a standard e-mail program such as Netscape Mail (free). In a working demonstration and full description of this exploit at http://www.because-we-can.com/hotmail/default.htm, it is shown that even users without their own internet service provider (ISP) can steal an arbitrary number of Hotmail passwords by using a free Geocities account. The "Hot"mail exploit is a serious security concern for the following reasons: 1.The malicious code runs as soon as e-mail message is viewed 2.The resources required to launch the attack are minnimal and freely available. 3.The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals 4.The exploit will work with any javascript-enabled browser, including the Microsoft Internet Explorer and Netscape Communicator. Both Microsoft and Hotmail have been notified that a security problem exists. The following information about the "Hot"Mail exploit is being made publicly available to speed the process of fixing the security hole and inform users how they can protect themselves. This information is also being released in the belief that when the public is aware of serious security problems, expedient measures are taken by software manufacturers to solve those problems. -------------------------------------------------------------------------- Date: Tue, 25 Aug 1998 07:38:14 -0400 From: Jeff Mcadams Subject: Re: Serious Security Hole in Hotmail Thus spake Tom Cervenka >We have just found a serious security hole in Microsoft's Hotmail >service (http://www.hotmail.com) which allows malicious users to easily >steal the passwords of Hotmail users. The exploit involves sending an >e-mail message that contains embedded javascript code. When a Hotmail >user views the message, the javascript code forces the user to re-login >to Hotmail. In doing so, the victim's username and password is sent to >the malicious user by e-mail. (see >http://www.because-we-can.com/hotmail/default.htm for demo) This is a variation on the Spartan Horse announced by Dan Gregorie over a week ago, and covered on news.com on the 14th. The Spartan Horse is available for viewing at: http://www.thetopoftheworld.com The news.com articles, is at: http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d The variation is that the Spartan Horse, as design on the www.thetopoftheworld.com site mimicks the Windows95/98 Dial-Up-Networking dialog box. This wasn't originally sent to BUGTRAQ because it doesn't exploit a specific flaw in programming code in any software, like this "Hot"Mail exploit. Perhaps that was an oversight on Dan's and my fault, but I did want to set the record straight on the origination of this idea for Dan's sake. -- Jeff McAdams Email: jeffm@iglou.com Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services (800) 436-4456 -------------------------------------------------------------------------- Date: Tue, 25 Aug 1998 16:31:47 -0400 From: "Jonathan A. Zdziarski - Systems Administrator" Subject: Re: Serious Security Hole in Hotmail it appears that hotmail put a fix in this by s/ STEP 4: We composed a new e-mail message to our (example) victim, victim@hotmail.com. We inserted the file message.htm into the e-mail message and then sent it. STEP 5: We waited for our victim to check his Hotmail account. Shortly after he viewed our message, we checked our Geocities email. We received an e-mail message from Geocities that listed the ip address, username, and password of the Hotmail user victim@hotmail.com -------------------------------------------------------------------------- "HOT"MAIL EXPLOIT TARGETING ANY JAVASCRIPT- ENABLED BROWSER This page describes how users with moderate resources (web-space with an Internet Service Provider) can use "Hot"Mail against users of any javascript-enabled browser. We required no resources or special hardware beyond what is listed below: Hotmail has issued a patch to the problem, however we have discovered a problem with their fix. The following describes how we stole passwords from Netscape Navigator 4.0x users after Hotmail posted a fix on the morning of Monday August 25, 1998. INGREDIENTS: * 1 Computer with internet access * 1 Netscape Mail (or equivalent e-mail program) * 1 Notepad (or equivalent text editor) * web-page space STEP 1: We visited hotmail.com and registered for a free e-mail account. We did not have to enter valid contact information during the registration process. STEP 2: We visited Geocities.com and registered for a free homepage. We chose the username ybwc. We did not have to enter valid contact information during the registration process, except for an e-mail address. We used the e-mail address from step 1. As part of our registration, we were given a new free email account from Geocities (ybwc@geocities.com). STEP 3: We opened out notepad and typed in the following text, which we then saved as getmsg.htm. Then we uploaded the file onto our web-space. Line 14 contains our Geocities username (ybwc), from step 2.
We're Sorry, We Cannot
Process Your Request
Reason:  Time expired. Please re-login.
(Get more info regarding error messages here)
Login Name:
Password:
 
Return to Hotmail's Homepage.

Copyright 1996-1997 STEP 4: We opened our notepad and typed in the following text, which we then saved as message.htm. Line 4 contains the URL of the file getmsg.htm from step 3

"Go where you want today" - Blue Adept

STEP 4: We composed a new e-mail message to our victim, victim@hotmail.com*. We inserted the file message.htm into the e-mail message and then sent it. STEP 5: We waited for our victim to check his Hotmail account. Shortly after he viewed our message, we checked our Geocities email. It contained an e-mail message from Geocities that listed the ip address, username, and password of the Hotmail user victim@hotmail.com -------------------------------------------------------------------------- HOW THE "HOT"MAIL EXPLOIT WORKS Why does the "Hot"Mail exploit work? The security problem lies in Microsoft's Hotmail service itself. Hotmail makes no attempt to filter Javascript code from email messages, allowing malicious users to embed arbitrary javascript programs into their e-mail messages. Javascript programs do not normally constitute a security problem when they are used in personal web-pages. However, when javascript code is embedded into a Hotmail message, it can alter the properties of the Hotmail user-interface itself. In the case of the exploits we describe, the javascript alters the properties of every link in the Hotmail interface that the user could click on. The links are altered so that when the user clicks on them, an (bogus) Hotmail message is displayed, informing the user that they have timed-out of their Hotmail session and must log-in again to continue. The (bogus) time-out page also gives the user some text-entry fields where they can type in their username and password to re-login. However, when the user types in their username and password, the information is sent back to the malicious user. In the exploits we describe, the part of the program that does the actual "dirty-work" of mailing the password and username is provided by Geocities as a (free) service to all their members. This should not be viewed as an oversight or problem with Geocities, since there are thousands of equivalent server-side mailing programs that we could have used in it's place. The "Hot"Mail exploit is just one of many potentially damaging javascript programs that could be embedded into mail messages. Since javascript code in email messages can run as soon as the message is viewed, and can alter virtually any aspect of the user interface, we urge Hotmail to implement a javascript filter. -------------------------------------------------------------------------- HOW TO PROTECT YOURSELF FROM "HOT"MAIL Until Hotmail fixes the security problem, we suggest that Hotmail users turn off javascript in their browsers. Even users familiar with our version of the exploit may be vulnerable to other javascript programs embedded in Hotmail messages. Netscape users can turn javascript off in their preferences (edit / preferences / advanced / disable javascript). Microsoft Internet Explorer users can turn jscript off in their preferences (view / internet options / security / custom settings / scripting / disable active scripting).