Peacefire.org Youth against Internet censorship "It's not a crime to be smarter than your parents." |
-Bennett Haselton, bennett@peacefire.org
5/10/2000
News sightings:
Wired |
ZDNet |
Slashdot |
MSNBC
See also:
JavaScript-in-cookies security hole (4/19/00)
C-Net |
ZDNet |
NTSecurity
Eudora "stealth attachment" demo page (4/27/00)
C-Net |
ZDNet |
Newsbytes |
Internet Explorer "local JavaScript" security hole (5/5/00)
C-Net |
NewsBytes
"Fake mail form" security hole for Web-based email sites (5/9/00)
C-Net
Update 11:45 am PST 5/10/2000 -- HotMail has closed this security hole so the demo will no longer work. (Now, when you try to access an attached HTML file by loading it from a URL starting with a host name, HotMail will redirect you to the same URL with an IP address at the beginning, before the JavaScript on the attached page has a chance to intercept the cookie. This will make more sense after reading the description below.) |
This page describes a security hole in HotMail that allows an intruder to break into someone's HotMail account by sending that person an email message with an attached HTML file. When the user views the attached HTML file, their cookies in the HotMail.MSN.com domain are intercepted and sent to a hostile site; since the cookies are used for authentication, whoever receives them can then log into HotMail as that user.
There is no demo available, since this exploit will almost certainly become obsolete as soon as HotMail fixes the problem.
Explanation
HotMail already filters JavaScript from incoming email
messages, but it does not filter JavaScript in attached HTML
files. To prevent JavaScript in attached HTML files from
accessing a user's cookies, the HotMail server loads the
attached file from a URL that begins with an IP address
rather than a host name. This is because
cookies that are set for a host
name or domain name will not be sent to a site which is
accessed by its IP address, even if that site is the same
as the site which
set the cookie.
However, it turns out that there are only six different IP addresses that are used to load attached HTML files, and all of them correspond to hostnames that are in the .hotmail.msn.com domain:
Suggested fix:
HotMail could filter JavaScript from attached HTML files
just as they do for email messages. Or, when a user clicks
to view an HTML attachment, HotMail prompt them to view the
"safe" version by default, but provide them with a link to
view the "unsafe" version, with a warning that hostile code
in the "unsafe" version could intercept their HotMail cookies.