04 September 2006 | 307,582 views

Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript

Check For Vulnerabilities with Acunetix

“pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0″ friends. Do not operate in shower. Objects in article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.

Intro

The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!

Preface

On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:

<IMG SRC=”javasCript:alert(‘JavaScript is
executed’);a=window.open(document.links[2]);setTimeout(‘alert(\’The
first message in your Inbox is from :
\’+a.document.links[26].text)’,20000)”>

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:

<IMG SRC=”javasCript:alert(‘JavaScript is executed’)”>

How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an <IMG> tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the <SCRIPT> tag (the normal way to add javascript to a page) was banned from use in hotmail messages by way of filtering(6) (boo! hiss!). So normal guys like you and me had to “inject”, or put into other html tags, our javascript exploits. The IMG tag is perfect for this, when combined with it’s autoloading capabilities. This discovery led to the filtering, yet again, of javascript injected into IMG tags. Of course, hackers ALWAYS find a way, and today we combine IMG-injecting with ASCII tags to give you the current exploit.

What else can I do with this hole in Hotmail’s Security?

As is the case with many exploits, the sky is the limit. If you know javascript, you can pretty much have a field day with this exploit. If you don’t, here’s a few more snippets of code to get you started:

This code opens a window with Darknet’s main page in it when the hotmail user opens your mail:

<IMG SRC=”javasCript:window.open(‘http:://www.darknet.org.uk’)”>

Note that the above code could point to any page at all (even one that simulates hotmail’s “you have been logged out” screen. *wink* *wink* HINT HINT ;-) )

This code opens 100 windows with Darknet’s main page in it (tee hee! self promotion is good!):

<IMG SRC=”javasCript:for(var i = 0; i < 100; i++) window.open(‘http:://www.darknet.org.uk’);”>

The rest is up to you, my friend. By the way, if Hotmail finds a way to make this exploit null and void, please don’t mail me, as I probably already know. Just keep looking for the next big exploit, and then when you’ve found it, you may tell me.

Terms Defined

(1) Bugtraq – A mailing list where people publicize holes and exploits in various softwares. I highly suggest that you subscribe at http://www.securityfocus.com.
(2) Exploit – Webster’s dictionary sez: ” exploit (eks’ploit’) – an act remarkable for brilliance or daring; bold deed”. Wow. Think of that the next time you steal someone’s ICQ password.
(3) alert() function – A function built into the Javascript language that brings up a rectangle box with the message passed to the alert() function in it. Note: alert(‘message goes here’)
(4) Javascript – A scripting language built into most popular browsers that gives much greater control over web page content than HTML alone (chicks dig pages with javascript 2 to 1 over standard HTML!).
(5) ASCII – A standard for characters on and beyond the normal keyboard.
(6) Filtering – A way to ‘catch and detain’ certain text or commands. Hotmail, for example, filters for the “javascript” text.

Some URLs

(1) http://www.htmlgoodies.com – they have some javascript tutorials if you wanna learn javascript.
(2) http://come.to/the-lamer – they have some fake hotmail pages that will make you think you were logged out for some reason and ask you to input your password. They also have some tutorials on how to use these pages, etc’ etc’ etc’.

From Blacksun – Updated by Darknet



Recent in General Hacking:
- Dradis v2.9 – Information Sharing For Security Assessments
- MagicTree v1.3 Available For Download – Pentesting Productivity
- Kvasir – Penetration Testing Data Management Tool

Related Posts:
- Spammers Harnessing Web Mail Servers – Gmail & Yahoo! Throttled
- Google Fixes Serious Vulnerability in Gmail
- Hotmail Always-On Encryption Breaks Microsoft’s Own Apps

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,133,502 views
- Hack Tools/Exploits - 576,869 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 411,721 views

Low-cost VPS Hosting

28 Responses to “Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript”

  1. Mister test 4 September 2006 at 10:45 am Permalink

    Has this allready been fixed? I tried it with my account, and it certainly seemed to strip it

  2. Darknet 4 September 2006 at 2:17 pm Permalink

    Yeah I guess it would have by now, it’s just an example of being imaginative :)

  3. farking 4 September 2006 at 5:29 pm Permalink

    i dunno y u keep posting an old stuff…

  4. Darknet 5 September 2006 at 12:41 am Permalink

    You can learn a lot from old stuff….I did when I was starting out.

  5. backbone 6 September 2006 at 6:39 pm Permalink

    no offense darknet… but this is really outdated… someday… not very far from now i will point you a step-by-step yahoo hacking tehnique… at least i will try… hope so…
    i have read this article so many years ago that i though it had dissapeared… it was released by blackbox.sk ? or something like that ;)

  6. Darknet 7 September 2006 at 7:04 am Permalink

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t.

    This was from Blacksun.

  7. Kralc 12 September 2006 at 6:07 pm Permalink

    Thanks so much for the tutorial Darknet. I agree, even if it is ‘old news’, it is still good stuff to learn from.

  8. hobot 13 September 2006 at 1:26 pm Permalink

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t. This was from Blacksun.


    There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities for a long time, Darknet is of course in the Full Disclosure school of thinking.

    I am chortling

  9. Darknet 14 September 2006 at 4:57 am Permalink

    Impressive skills of observation ;)

    You can disclose everything carefully, like with the return address removed or munged…which makes it useless to people without pre-requisite knowledge.

    Or things like this, which have full details but are already outdated.

    Both are equally important learning tools if you are motivated :)

  10. AJ R. 11 October 2006 at 8:03 pm Permalink

    I’ve got to say even though this is “old news”, it’s still fun knowing about this stuff. I never even thought that img src could actually view JS O.o

  11. ahsan 18 October 2006 at 6:59 pm Permalink

    this was my id

  12. Vitamin knowledge needed 2 November 2006 at 1:35 am Permalink

    I hope you all can clue me in cuz i’m not that smart and got confused. In trying to hack an email (not that I would). let’s say to hack into my own as a trial run …

  13. Kelsey 21 December 2006 at 4:19 pm Permalink

    So yeah, just like everyone else, i want to hack into my boyfriend’s email… i use to have his password, but he changed it a few days ago, which kind of makes me think he’s hiding something… & he’s been talking to some girl lately too. i just want to see what they talk about, & if it’s really all that innocent.

    think you could help me out?

  14. Griever 7 January 2007 at 1:28 pm Permalink

    kelsey.. are you on crack? he just told u how n00b

  15. mia 12 January 2007 at 12:15 pm Permalink

    can you help me hack a yahoo email?

  16. Amelia 23 January 2007 at 9:59 am Permalink

    This didn’t work for me, it either shows up as just the code (I sent the email to myself) or it just doesn’t show up anything at all. Just a blank email. Have they already blocked it or am I not doing it right? This is what i put as a test:

    http://ffp.uku.fi/pics/food/snack-miniburger01.jpg

  17. Amelia 23 January 2007 at 10:02 am Permalink

    sorry, i mean this (script that shows the one darknet window>

  18. Lloyd 11 February 2007 at 5:01 am Permalink

    Would this also work for VBScript and not only Java Script?

  19. Dead-SouL 15 February 2007 at 8:36 am Permalink

    iam intrested in learning Hacking . can any one teach me .

  20. nico guedes 4 March 2007 at 2:19 pm Permalink

    Please, i need some help. I live in Lisbon, i´ve 25 years old and i need urgently discover an e-mail password.
    someone to help me? It´s very important.
    Thanks
    Nico

    mgmax22@hotmail.com

  21. Sakil 6 March 2007 at 10:31 am Permalink

    Please help me to find a gmail password
    Regards
    sakil

  22. Brooklyn 11 March 2007 at 2:20 am Permalink

    Hey everybody. if anyone has a couple of minutes to spare, there will be big karma points if i could be pointed in the right direction. i have been using brutus for a while now. i went from a clueless newbie to an accomplished cracker the right way, the hard way, ON MY OWN! but i cant go on with this charade any longer. i have fresh paysite username/passwords anytime i want them but i have yet to figure out the proper protocol to enter them. it has gotten to the point of mad ridiculous because all i do is crack em and move on. i would greatly appreciate some guidance from the “more gifted ones” as i have gone as far as i can in the game without any help. HELP!!! Thank you!

  23. Jai 2 April 2007 at 7:02 pm Permalink

    hey does this work on firefox ive been tryin for a while but im not sure i know realy what to do i just copied the javascript and pasted it in the email and i sent it to myselfe but do i need to do anything else please someone help me

    jaiflippy3@yahoo.com

  24. forbade 2 April 2007 at 8:39 pm Permalink

    I must agree, this tut. is a wee bit out of date.
    but none the less, a starting point.

  25. spy 16 April 2007 at 10:52 pm Permalink

    anyone who wants to get into a perticular hotmail account email me im sure i can help
    secret_services@hotmail.co.uk

  26. spy 17 April 2007 at 9:56 pm Permalink

    what a tosser it amazes me how many bored assholes there are out there.
    what are you doing looking at a page on script injection then dickhead?
    must be busting people