[Full-disclosure] Hotmail security flaw

• Previous message: lsi: "[Full-disclosure] (Fwd) traffic laundering using MSN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 4 Jun 2005 10:46:32 -0700
To: full-disclosure@lists.grok.org.uk

I have found a security hole in hotmail that allows me to view
somebody's email inbox and do everything possible as it was your own
e-mail inbox. All that needs to be done is send that user an a-mail
message and persuade him to open an internet site (that has been
uploaded by the attacker). This flaw works because of an XSS (Cross
Site Scripting) vulnerability in the msn website. This allows the
attacker to log the cookie of the victim.
It's not a JavaScript injection on the site of hotmail itself, so
it's not possible to see if the url is malicious or not.
I have send Microsoft an e-mail message explaining the exploit and the
problems it can cause.
I have successfully tested this method multiple times on a legal way.
When I was convinced the exploit was fully working I wrote a tutorial
about it.
The XSS exploit exists in one of MSN sub domains
http://ilovemessenger.msn.com/ . To prove it's existence you could go
to the following url (including the last single quote):
http://ilovemessenger.msn.com/?mkt=nl-nl');alert(document.cookie);escape('
If the exploit is still working you will see a popup containing your
current cookie.

The tutorial I have written can be shown at :
http://www.net-force.nl/files/articles/hotmail_xss/

The exploit is discovered, and the tutorial has been written by:
Alex de Vries, on http://www.net-force.nl known as "Eierkoek".
eierkoek@net-force.nl
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: lsi: "[Full-disclosure] (Fwd) traffic laundering using MSN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]