24 May 2011 | 15,065 views

Hotmail Exploit Has Been Silently Stealing E-mail

Check Your Web Security with Acunetix

We haven’t reported a whole lot about Hotmail over the years, probably because since Gmail took over – Hotmail has mostly taken a backseat.

The most recent report we had was about SSL and how Hotmail Always-On Encryption Breaks Microsoft’s Own Apps.

The latest news is there has been a nasty bug in Hotmail for a while that has been actively exploited allowing malicious senders to snoop on e-mail and even add forwarding rules to the victim account.

Microsoft has patched a bug in its Hotmail email service that attackers were exploiting to silently steal confidential correspondences and user contacts from unsuspecting victims.

The vulnerability was actively being exploited using emails that contained malicious scripts, Trend Micro researcher Karl Dominguez said Monday. Successful attacks required only that a Hotmail user open the malicious email or view it in a preview window. The commands embedded in the emails uploaded users’ correspondences and user contacts to servers under the control of attackers without requiring the victim to click on links or otherwise take any action.

The scripts also also had the capability of enabling email forwarding on the targeted Hotmail account, allowing attackers to view emails sent to the victim in the future.

Trend Micro researchers learned of the in-the-wild attacks after a colleague in Taiwan received one of the booby-trapped emails. The email purported to be a security warning concerning the victim’s Facebook account.

This attack has been going on in the wild for at least 2-3 weeks – that’s the confirmed time frame anyway. It may have been going on for much longer than that, no one really knows.

Microsoft isn’t telling us anything, nothing at all? I’d personally like to know how many users/accounts were effected? Have they notified these users? What exactly are they doing to mitigate the loss of personal data and so on.

I wonder if this will get legal like the whole Sony case that’s blowing up right now, I’d guess not as Hotmail users tend to a less Internet savvy kind of crowd. I mean seriously how many of you guys/gals use Hotmail as your primary account? I’d guess probably none.

Most of you probably have a Hotmail account but use it as a secondary/tertiary account for signing up to forums etc and spam.


Trend first disclosed the bug on May 13. Monday’s blog post said Microsoft has since plugged the hole, which resided in CSS, or cascading style sheet functionality, but didn’t say when.

“The attack takes advantage of a script or CSS filtering mechanism bug in Hotmail,” Dominguez wrote. “Microsoft has already taken action and updated Hotmail to fix the said bug.”

The vulnerable code helped inject a character into a Hotmail filtering mechanism that changed the way it behaved. The result was a platform that ran arbitrary commands in a user’s Hotmail login session.

It’s unclear how many Hotmail users may have been affected by the exploits and whether Microsoft has adequately warned users they may have been compromised. Microsoft spokesman Bryan Nairn wouldn’t say how many subscribers were targeted or when the patch was put in place

Microsoft claims they have fixed the bug but that’s really all they are saying, they aren’t saying when the knew about the problem or when it was patched – just that right now it is fixed.

You can read the May 13th blog post by Trend Micro here:

Targeted Attack Exposes Risk of Checking Personal Email at Work

And their later, more detailed post here:

Trend Micro Researchers Identify Vulnerability in Hotmail

Source: The Register





                

Recent in Exploits/Vulnerabilities:
- Heartbleed Bug SSL Vulnerability – Everything You Need To Know
- Oracle Java Cloud Service Vulnerabilities Publicly Disclosed
- ODA – Online Web Based Disassembler

Related Posts:
- Targeted Phishing Attacks Carried Out On Gmail – Likely From China
- Hotmail Always-On Encryption Breaks Microsoft’s Own Apps
- Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 225,317 views
- AJAX: Is your application secure enough? - 118,948 views
- eEye Launches 0-Day Exploit Tracker - 84,996 views

Low-cost VPS Hosting

7 Responses to “Hotmail Exploit Has Been Silently Stealing E-mail”

  1. kurt wismer 24 May 2011 at 7:01 pm Permalink

    on the question of who uses hotmail as their primary account, it’s worth noting that some organizations outsource their email to hotmail – and not just small companies but even major internet service providers.

    bell canada, one half of the isp duopoly in canada (under the brand name sympatico), have off-loaded their email service into the hands of hotmail. even though the addresses have a sympatico.ca domain, you log into the webmail interface through microsoft’s service.

    as such, there’s probably a lot more people using hotmail than anyone realizes (because because bell canada is probably not unique in this regard).

    • Darknet 25 May 2011 at 7:50 am Permalink

      Very valid point you have there kurt. But then again how many people really use ISP allocated accounts? No doubt there is a lot of them, but are people really using them?

  2. Somebody 25 May 2011 at 7:49 am Permalink

    What a motherfucking load of crap, just another reason not to use microfuck

    • Everyone Else 26 May 2011 at 2:38 pm Permalink

      Wow. Very constructive feedback, Somebody. That was helpful.

  3. NNM 27 May 2011 at 12:32 pm Permalink

    I still feel that hotmail is safer than gmail, yahoo, or any other free web based service.
    Maybe a false sense of security… But I still trust Microsoft. (And over the last year, I’ve lost ALL trust in google. They are evil..)
    I get almost no spam at all on most hotmail accounts, except those created for the purose of signing up to things I don’t trust.

    And I don’t believe this can be compared to Sony. Not at all. You don’t give your credit card info to hotmail. No personal information either. And it’s free. And I’m pretty sure the situation is described in the terms of use, even though I don’t remember any of it.

    • brad 27 May 2011 at 4:50 pm Permalink

      1) Why exactly have you a reason to think hotmail is more secure than gmail/yahoo?

      2) So you only get spam on the accounts you use for things that could get you spammed……. and then make a connection between this and the difference between gmail and hotmail how?

      3) Are you kidding? No personal info in email?

      4) Are you kidding? Remember it? How did you ever manage to read it?

  4. brad 27 May 2011 at 3:42 pm Permalink

    Hmm…

    CSS you say? I think I know exactly what the hack is then! It’s one which pretty much every website which allows style attributes is vulnerable to right now. The irony is, it is really only IE that can be hit by it.