JavaScriptSearch Thursday, July 6, 2006; 03:07 AM
Internet security company
Acunetix reported that 16 year old Dutch student Adriaan Graas has discovered a hack for the popular Hotmail
free email service via a Cross Site Scripting attack. Microsoft is said to have been aware of this vulnerability for over a week but,
at time of writing, has not yet fixed it.
When logging into Hotmail, a cookie is created allowing continual
access of the user while within the domain. Hackers may steal such
cookies and produce fakes using such tools as Proxomitron. Since
Hotmail cookies are not IP-bound, hackers do not need the password or
the email address of the victim for logging in and accessing personal
emails and other data. Through Cross Site Scripting (XSS) the hacker
inserts JavaScript code that will send the fake cookie to a Web Server
with a log script and the deed is done.
|