Web Based Email Hacking with JavaScript (Hotmail Yahoo Gmail)

“pleez, pleez, PLEEZ teach me how to do email hacking on a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0” friends. Do not operate in the shower. Objects in the article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.

Web Based Email Hacking with JavaScript (Hotmail Yahoo Gmail)

Intro to Email Hacking

The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!


On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

To: BugTraq
Subject: Yet another major Hotmail security hole –
injecting JavaScript using “javasCript:”
Date: Wed Sep 22 1999 10:48:04
Author: Georgi Guninski
Message-ID: <37E8D004.EF848F34@nat.bg>

Yet another major Hotmail security hole – injecting
JavaScript using “javasCript:”

There is a major security flaw in Hotmail which allows
injecting and executing JavaScript code in an email
message using the javascript protocol. This exploit
works both on Internet Explorer 5.0 (guess IE 4.x)
and Netscape Communicator 4.x. Hotmail filters the
“javascript:” protocol for security reasons. But it
does not filter properly the following case:
“javasCript:” where “C” is the ASCII code of “C”.

So the following HTML is executed SRC=”javasCript:alert(‘JavaScript is executed’);”>
if the user has enabled automatically loading of
images (most users have).

Probably this may be used in other HTML tags.

Executing JavaScript when the user opens Hotmail
email message allows for example displaying a fake
login screen where the user enters his password
which is then stolen. I don’t want to make a scary
demonstration, but I am sure it is also possible to
read user’s messages, to send messages from user’s
name and doing other mischief. Hotmail deliberately
escapes all JavaScript (it can escape) to prevent such
attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.0. AFAIK this is not a browser
problem, it is Hotmail’s problem.

Workaround: Disable JavaScript

The code is:


Georgi Guninski

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).

The email hacking exploit would be:

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:

How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an IMG tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the SCRIPT tag (the normal way to add javascript to a page) was banned from use in hotmail messages by way of filtering(6) (boo! hiss!). So normal guys like you and me had to “inject”, or put into other html tags, our javascript exploits. The IMG tag is perfect for this, when combined with it’s autoloading capabilities. This discovery led to the filtering, yet again, of javascript injected into IMG tags. Of course, hackers ALWAYS find a way, and today we combine IMG-injecting with ASCII tags to give you the current exploit.

What else can I do with this hole in Hotmail’s Security?

As is the case with many exploits, the sky is the limit. If you know javascript, you can pretty much have a field day with this exploit. If you don’t, here’s a few more snippets of code to get you started:

This code opens a window with Darknet’s main page in it when the hotmail user opens your mail:

Note that the above code could point to any page at all (even one that simulates hotmail’s “you have been logged out” screen. *wink* *wink* HINT HINT ;-) )

This code opens 100 windows with Darknet’s main page in it (tee hee! self promotion is good!):

The rest is up to you, my friend. By the way, if Hotmail finds a way to make this exploit null and void, please don’t mail me, as I probably already know. Just keep looking for the next big exploit, and then when you’ve found it, you may tell me.

Terms Defined

(1) Bugtraq – A mailing list where people publicize holes and exploits in various software. I highly suggest that you subscribe at http://www.securityfocus.com.
(2) Exploit – Webster’s dictionary sez: ” exploit (eks’ploit’) – an act remarkable for brilliance or daring; bold deed”. Wow. Think of that the next time you steal someone’s ICQ password.
(3) alert() function – A function built into the Javascript language that brings up a rectangle box with the message passed to the alert() function in it. Note: alert(‘message goes here’)
(4) Javascript – A scripting language built into most popular browsers that gives much greater control over web page content than HTML alone (chicks dig pages with javascript 2 to 1 over standard HTML!).
(5) ASCII – A standard for characters on and beyond the normal keyboard.
(6) Filtering – A way to ‘catch and detain’ certain text or commands. Hotmail, for example, filters for the “javascript” text.

Some URLs

(1) http://www.htmlgoodies.com – they have some javascript tutorials if you wanna learn javascript.
(2) http://come.to/the-lamer – they have some fake hotmail pages that will make you think you were logged out for some reason and ask you to input your password. They also have some tutorials on how to use these pages, etc’ etc’ etc’.

From Blacksun – Updated by Darknet

Posted in: Web Hacking

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

26 Responses to Web Based Email Hacking with JavaScript (Hotmail Yahoo Gmail)

  1. Mister test September 4, 2006 at 10:45 am #

    Has this allready been fixed? I tried it with my account, and it certainly seemed to strip it

  2. Darknet September 4, 2006 at 2:17 pm #

    Yeah I guess it would have by now, it’s just an example of being imaginative :)

  3. farking September 4, 2006 at 5:29 pm #

    i dunno y u keep posting an old stuff…

  4. Darknet September 5, 2006 at 12:41 am #

    You can learn a lot from old stuff….I did when I was starting out.

  5. backbone September 6, 2006 at 6:39 pm #

    no offense darknet… but this is really outdated… someday… not very far from now i will point you a step-by-step yahoo hacking tehnique… at least i will try… hope so…
    i have read this article so many years ago that i though it had dissapeared… it was released by blackbox.sk ? or something like that ;)

  6. Darknet September 7, 2006 at 7:04 am #

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t.

    This was from Blacksun.

  7. Kralc September 12, 2006 at 6:07 pm #

    Thanks so much for the tutorial Darknet. I agree, even if it is ‘old news’, it is still good stuff to learn from.

  8. hobot September 13, 2006 at 1:26 pm #

    It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t. This was from Blacksun.

    There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities for a long time, Darknet is of course in the Full Disclosure school of thinking.

    I am chortling

  9. Darknet September 14, 2006 at 4:57 am #

    Impressive skills of observation ;)

    You can disclose everything carefully, like with the return address removed or munged…which makes it useless to people without pre-requisite knowledge.

    Or things like this, which have full details but are already outdated.

    Both are equally important learning tools if you are motivated :)

  10. AJ R. October 11, 2006 at 8:03 pm #

    I’ve got to say even though this is “old news”, it’s still fun knowing about this stuff. I never even thought that img src could actually view JS O.o

  11. ahsan October 18, 2006 at 6:59 pm #

    this was my id

  12. Vitamin knowledge needed November 2, 2006 at 1:35 am #

    I hope you all can clue me in cuz i’m not that smart and got confused. In trying to hack an email (not that I would). let’s say to hack into my own as a trial run …

  13. Kelsey December 21, 2006 at 4:19 pm #

    So yeah, just like everyone else, i want to hack into my boyfriend’s email… i use to have his password, but he changed it a few days ago, which kind of makes me think he’s hiding something… & he’s been talking to some girl lately too. i just want to see what they talk about, & if it’s really all that innocent.

    think you could help me out?

  14. Griever January 7, 2007 at 1:28 pm #

    kelsey.. are you on crack? he just told u how n00b

  15. mia January 12, 2007 at 12:15 pm #

    can you help me hack a yahoo email?

  16. Amelia January 23, 2007 at 9:59 am #

    This didn’t work for me, it either shows up as just the code (I sent the email to myself) or it just doesn’t show up anything at all. Just a blank email. Have they already blocked it or am I not doing it right? This is what i put as a test:


  17. Amelia January 23, 2007 at 10:02 am #

    sorry, i mean this (script that shows the one darknet window>

  18. Lloyd February 11, 2007 at 5:01 am #

    Would this also work for VBScript and not only Java Script?

  19. Dead-SouL February 15, 2007 at 8:36 am #

    iam intrested in learning Hacking . can any one teach me .

  20. nico guedes March 4, 2007 at 2:19 pm #

    Please, i need some help. I live in Lisbon, i´ve 25 years old and i need urgently discover an e-mail password.
    someone to help me? It´s very important.


  21. Sakil March 6, 2007 at 10:31 am #

    Please help me to find a gmail password

  22. Brooklyn March 11, 2007 at 2:20 am #

    Hey everybody. if anyone has a couple of minutes to spare, there will be big karma points if i could be pointed in the right direction. i have been using brutus for a while now. i went from a clueless newbie to an accomplished cracker the right way, the hard way, ON MY OWN! but i cant go on with this charade any longer. i have fresh paysite username/passwords anytime i want them but i have yet to figure out the proper protocol to enter them. it has gotten to the point of mad ridiculous because all i do is crack em and move on. i would greatly appreciate some guidance from the “more gifted ones” as i have gone as far as i can in the game without any help. HELP!!! Thank you!

  23. Jai April 2, 2007 at 7:02 pm #

    hey does this work on firefox ive been tryin for a while but im not sure i know realy what to do i just copied the javascript and pasted it in the email and i sent it to myselfe but do i need to do anything else please someone help me


  24. forbade April 2, 2007 at 8:39 pm #

    I must agree, this tut. is a wee bit out of date.
    but none the less, a starting point.

  25. spy April 16, 2007 at 10:52 pm #

    anyone who wants to get into a perticular hotmail account email me im sure i can help

  26. spy April 17, 2007 at 9:56 pm #

    what a tosser it amazes me how many bored assholes there are out there.
    what are you doing looking at a page on script injection then dickhead?
    must be busting people