04 September 2006 | 310,843 views

Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript

Cybertroopers storming your ship?

“pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0” friends. Do not operate in shower. Objects in article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.


The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!


On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:

first message in your Inbox is from :

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:

How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the


Subscribe to Darknet RSS Feed Subscribe to Darknet RSS Feed Subscribe to Darknet RSS Feed

Recent in General Hacking:
- Kid Gets Arrested For Building A Clock – World Goes NUTS
- Drones, Tor & Remailers – The Story Of A High-Tech Kidnapping
- U.S. State Department Hacked

Related Posts:
- Spammers Harnessing Web Mail Servers – Gmail & Yahoo! Throttled
- Google Fixes Serious Vulnerability in Gmail
- Hotmail Always-On Encryption Breaks Microsoft’s Own Apps

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,163,967 views
- Hack Tools/Exploits - 614,846 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 429,254 views

Advertise on Darknet

28 Responses to “Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript”

  1. Mister test 4 September 2006 at 10:45 am Permalink

    Has this allready been fixed? I tried it with my account, and it certainly seemed to strip it

  2. Darknet 4 September 2006 at 2:17 pm Permalink

    Yeah I guess it would have by now, it’s just an example of being imaginative :)

  3. farking 4 September 2006 at 5:29 pm Permalink

    i dunno y u keep posting an old stuff…

  4. Darknet 5 September 2006 at 12:41 am Permalink

    You can learn a lot from old stuff….I did when I was starting out.

  5. backbone 6 September 2006 at 6:39 pm Permalink

    no offense darknet… but this is really outdated… someday… not very far from now i will point you a step-by-step yahoo hacking tehnique… at least i will try… hope so…
    i have read this article so many years ago that i though it had dissapeared… it was released by blackbox.sk ? or something like that ;)

  6. Darknet 7 September 2006 at 7:04 am Permalink

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t.

    This was from Blacksun.

  7. Kralc 12 September 2006 at 6:07 pm Permalink

    Thanks so much for the tutorial Darknet. I agree, even if it is ‘old news’, it is still good stuff to learn from.

  8. hobot 13 September 2006 at 1:26 pm Permalink

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t. This was from Blacksun.

    There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities for a long time, Darknet is of course in the Full Disclosure school of thinking.

    I am chortling

  9. Darknet 14 September 2006 at 4:57 am Permalink

    Impressive skills of observation ;)

    You can disclose everything carefully, like with the return address removed or munged…which makes it useless to people without pre-requisite knowledge.

    Or things like this, which have full details but are already outdated.

    Both are equally important learning tools if you are motivated :)

  10. AJ R. 11 October 2006 at 8:03 pm Permalink

    I’ve got to say even though this is “old news”, it’s still fun knowing about this stuff. I never even thought that img src could actually view JS O.o

  11. ahsan 18 October 2006 at 6:59 pm Permalink

    this was my id

  12. Vitamin knowledge needed 2 November 2006 at 1:35 am Permalink

    I hope you all can clue me in cuz i’m not that smart and got confused. In trying to hack an email (not that I would). let’s say to hack into my own as a trial run …

  13. Kelsey 21 December 2006 at 4:19 pm Permalink

    So yeah, just like everyone else, i want to hack into my boyfriend’s email… i use to have his password, but he changed it a few days ago, which kind of makes me think he’s hiding something… & he’s been talking to some girl lately too. i just want to see what they talk about, & if it’s really all that innocent.

    think you could help me out?

  14. Griever 7 January 2007 at 1:28 pm Permalink

    kelsey.. are you on crack? he just told u how n00b

  15. mia 12 January 2007 at 12:15 pm Permalink

    can you help me hack a yahoo email?

  16. Amelia 23 January 2007 at 9:59 am Permalink

    This didn’t work for me, it either shows up as just the code (I sent the email to myself) or it just doesn’t show up anything at all. Just a blank email. Have they already blocked it or am I not doing it right? This is what i put as a test:


  17. Amelia 23 January 2007 at 10:02 am Permalink

    sorry, i mean this (script that shows the one darknet window>

  18. Lloyd 11 February 2007 at 5:01 am Permalink

    Would this also work for VBScript and not only Java Script?

  19. Dead-SouL 15 February 2007 at 8:36 am Permalink

    iam intrested in learning Hacking . can any one teach me .

  20. nico guedes 4 March 2007 at 2:19 pm Permalink

    Please, i need some help. I live in Lisbon, i´ve 25 years old and i need urgently discover an e-mail password.
    someone to help me? It´s very important.


  21. Sakil 6 March 2007 at 10:31 am Permalink

    Please help me to find a gmail password

  22. Brooklyn 11 March 2007 at 2:20 am Permalink

    Hey everybody. if anyone has a couple of minutes to spare, there will be big karma points if i could be pointed in the right direction. i have been using brutus for a while now. i went from a clueless newbie to an accomplished cracker the right way, the hard way, ON MY OWN! but i cant go on with this charade any longer. i have fresh paysite username/passwords anytime i want them but i have yet to figure out the proper protocol to enter them. it has gotten to the point of mad ridiculous because all i do is crack em and move on. i would greatly appreciate some guidance from the “more gifted ones” as i have gone as far as i can in the game without any help. HELP!!! Thank you!

  23. Jai 2 April 2007 at 7:02 pm Permalink

    hey does this work on firefox ive been tryin for a while but im not sure i know realy what to do i just copied the javascript and pasted it in the email and i sent it to myselfe but do i need to do anything else please someone help me


  24. forbade 2 April 2007 at 8:39 pm Permalink

    I must agree, this tut. is a wee bit out of date.
    but none the less, a starting point.

  25. spy 16 April 2007 at 10:52 pm Permalink

    anyone who wants to get into a perticular hotmail account email me im sure i can help

  26. spy 17 April 2007 at 9:56 pm Permalink

    what a tosser it amazes me how many bored assholes there are out there.
    what are you doing looking at a page on script injection then dickhead?
    must be busting people