Peacefire.org
Youth against Internet censorship
"It's not a crime to be smarter than your parents."

HotMail JavaScript-in-attachment attack

-Bennett Haselton, bennett@peacefire.org
5/10/2000

News sightings: Wired | ZDNet | Slashdot | MSNBC

See also:
JavaScript-in-cookies security hole (4/19/00) C-Net | ZDNet | NTSecurity
Eudora "stealth attachment" demo page (4/27/00) C-Net | ZDNet | Newsbytes |
Internet Explorer "local JavaScript" security hole (5/5/00) C-Net | NewsBytes
"Fake mail form" security hole for Web-based email sites (5/9/00) C-Net

Update 11:45 am PST 5/10/2000 -- HotMail has closed this security hole so the demo will no longer work. (Now, when you try to access an attached HTML file by loading it from a URL starting with a host name, HotMail will redirect you to the same URL with an IP address at the beginning, before the JavaScript on the attached page has a chance to intercept the cookie. This will make more sense after reading the description below.)

This page describes a security hole in HotMail that allows an intruder to break into someone's HotMail account by sending that person an email message with an attached HTML file. When the user views the attached HTML file, their cookies in the HotMail.MSN.com domain are intercepted and sent to a hostile site; since the cookies are used for authentication, whoever receives them can then log into HotMail as that user.

There is no demo available, since this exploit will almost certainly become obsolete as soon as HotMail fixes the problem.

Explanation
HotMail already filters JavaScript from incoming email messages, but it does not filter JavaScript in attached HTML files. To prevent JavaScript in attached HTML files from accessing a user's cookies, the HotMail server loads the attached file from a URL that begins with an IP address rather than a host name. This is because cookies that are set for a host name or domain name will not be sent to a site which is accessed by its IP address, even if that site is the same as the site which set the cookie.

However, it turns out that there are only six different IP addresses that are used to load attached HTML files, and all of them correspond to hostnames that are in the .hotmail.msn.com domain:

So you can intercept the user's cookies by sending them the the attached file "magic-attachment.html" (click here to download a zip file containing magic-attachment.html -- we put it in a zip file since people's browsers would get confused if they tried to load the file from our site). The JavaScript in magic-attachment.html carries out the following steps:
  1. Looks at the document.location variable to determine whether the attachment is being viewed at a URL beginning with an IP address or a host name.
  2. If document.location begins with an IP address, the script looks up the IP address in the table above and re-directs the user's browser to a new URL identical to the current URL except that the IP address has been replaced with the corresponding host name.
  3. If document.location begins with a host name, then the .hotmail.msn.com cookies are sent to the page and can be intercepted by JavaScript code which submits them to a form on Peacefire.org.

Suggested fix:
HotMail could filter JavaScript from attached HTML files just as they do for email messages. Or, when a user clicks to view an HTML attachment, HotMail prompt them to view the "safe" version by default, but provide them with a link to view the "unsafe" version, with a warning that hostile code in the "unsafe" version could intercept their HotMail cookies.