“pleez, pleez, PLEEZ teach me how to do email hacking on a Hotmail Account!!!”
-unidentified IRC user
From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0” friends. Do not operate in the shower. Objects in the article may be closer than they appear.
Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.
Intro to Email Hacking
The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!
Preface
On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:
To: BugTraq
Subject: Yet another major Hotmail security hole –
injecting JavaScript using “javasCript:”
Date: Wed Sep 22 1999 10:48:04
Author: Georgi Guninski
Message-ID: <[email protected]>Yet another major Hotmail security hole – injecting
JavaScript using “javasCript:”There is a major security flaw in Hotmail which allows
injecting and executing JavaScript code in an email
message using the javascript protocol. This exploit
works both on Internet Explorer 5.0 (guess IE 4.x)
and Netscape Communicator 4.x. Hotmail filters the
“javascript:” protocol for security reasons. But it
does not filter properly the following case:
“javasCript:” where “C” is the ASCII code of “C”.So the following HTML is executed <IMG
SRC=”javasCript:alert(‘JavaScript is executed’);”>
if the user has enabled automatically loading of
images (most users have).Probably this may be used in other HTML tags.
Executing JavaScript when the user opens Hotmail
email message allows for example displaying a fake
login screen where the user enters his password
which is then stolen. I don’t want to make a scary
demonstration, but I am sure it is also possible to
read user’s messages, to send messages from user’s
name and doing other mischief. Hotmail deliberately
escapes all JavaScript (it can escape) to prevent such
attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.0. AFAIK this is not a browser
problem, it is Hotmail’s problem.Workaround: Disable JavaScript
The code is:
1234 <IMG SRC="javasCript:alert('JavaScript isexecuted');a=window.open(document.links[2]);setTimeout('alert(\'Thefirst message in your Inbox is from :\'+a.document.links[26].text)',20000)">….
….
Regards,
Georgi Guninski
http://www.securityfocus.com/external/http://www.nat.bg/~joro
Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.
What is this all about?
This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The email hacking exploit would be:
1 2 3 4 |
<IMG SRC="javasCript:alert('JavaScript is executed');a=window.open(document.links[2]);setTimeout('alert(\'The first message in your Inbox is from : \'+a.document.links[26].text)',20000)"> |
What does it do?
As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:
1 |
<IMG SRC="javasCript:alert('JavaScript is executed')"> |
How does it work?
Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an IMG tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the SCRIPT tag (the normal way to add javascript to a page) was banned from use in hotmail messages by way of filtering(6) (boo! hiss!). So normal guys like you and me had to “inject”, or put into other html tags, our javascript exploits. The IMG tag is perfect for this, when combined with it’s autoloading capabilities. This discovery led to the filtering, yet again, of javascript injected into IMG tags. Of course, hackers ALWAYS find a way, and today we combine IMG-injecting with ASCII tags to give you the current exploit.
What else can I do with this hole in Hotmail’s Security?
As is the case with many exploits, the sky is the limit. If you know javascript, you can pretty much have a field day with this exploit. If you don’t, here’s a few more snippets of code to get you started:
This code opens a window with Darknet’s main page in it when the hotmail user opens your mail:
1 |
<IMG SRC="javasCript:window.open('http:://www.darknet.org.uk')"> |
Note that the above code could point to any page at all (even one that simulates hotmail’s “you have been logged out” screen. *wink* *wink* HINT HINT ;-) )
This code opens 100 windows with Darknet’s main page in it (tee hee! self promotion is good!):
1 |
<IMG SRC="javasCript:for(var i = 0; i < 100; i++) window.open('http:://www.darknet.org.uk');"> |
The rest is up to you, my friend. By the way, if Hotmail finds a way to make this exploit null and void, please don’t mail me, as I probably already know. Just keep looking for the next big exploit, and then when you’ve found it, you may tell me.
Terms Defined
(1) Bugtraq – A mailing list where people publicize holes and exploits in various software. I highly suggest that you subscribe at http://www.securityfocus.com.
(2) Exploit – Webster’s dictionary sez: ” exploit (eks’ploit’) – an act remarkable for brilliance or daring; bold deed”. Wow. Think of that the next time you steal someone’s ICQ password.
(3) alert() function – A function built into the Javascript language that brings up a rectangle box with the message passed to the alert() function in it. Note: alert(‘message goes here’)
(4) Javascript – A scripting language built into most popular browsers that gives much greater control over web page content than HTML alone (chicks dig pages with javascript 2 to 1 over standard HTML!).
(5) ASCII – A standard for characters on and beyond the normal keyboard.
(6) Filtering – A way to ‘catch and detain’ certain text or commands. Hotmail, for example, filters for the “javascript” text.
Some URLs
(1) http://www.htmlgoodies.com – they have some javascript tutorials if you wanna learn javascript.
(2) http://come.to/the-lamer – they have some fake hotmail pages that will make you think you were logged out for some reason and ask you to input your password. They also have some tutorials on how to use these pages, etc’ etc’ etc’.
From Blacksun – Updated by Darknet
Mister test says
Has this allready been fixed? I tried it with my account, and it certainly seemed to strip it
Darknet says
Yeah I guess it would have by now, it’s just an example of being imaginative :)
farking says
i dunno y u keep posting an old stuff…
Darknet says
You can learn a lot from old stuff….I did when I was starting out.
backbone says
no offense darknet… but this is really outdated… someday… not very far from now i will point you a step-by-step yahoo hacking tehnique… at least i will try… hope so…
i have read this article so many years ago that i though it had dissapeared… it was released by blackbox.sk ? or something like that ;)
Darknet says
It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t.
This was from Blacksun.
Kralc says
Thanks so much for the tutorial Darknet. I agree, even if it is ‘old news’, it is still good stuff to learn from.
hobot says
It is, but learn from the old stuff, it’s useful, I don’t like to post current stuff, too much danger that script kiddies will grab it and do something they shouldn’t. This was from Blacksun.
There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities for a long time, Darknet is of course in the Full Disclosure school of thinking.
I am chortling
Darknet says
Impressive skills of observation ;)
You can disclose everything carefully, like with the return address removed or munged…which makes it useless to people without pre-requisite knowledge.
Or things like this, which have full details but are already outdated.
Both are equally important learning tools if you are motivated :)
AJ R. says
I’ve got to say even though this is “old news”, it’s still fun knowing about this stuff. I never even thought that img src could actually view JS O.o
ahsan says
this was my id
Vitamin knowledge needed says
I hope you all can clue me in cuz i’m not that smart and got confused. In trying to hack an email (not that I would). let’s say to hack into my own as a trial run …
Kelsey says
So yeah, just like everyone else, i want to hack into my boyfriend’s email… i use to have his password, but he changed it a few days ago, which kind of makes me think he’s hiding something… & he’s been talking to some girl lately too. i just want to see what they talk about, & if it’s really all that innocent.
think you could help me out?
Griever says
kelsey.. are you on crack? he just told u how n00b
mia says
can you help me hack a yahoo email?
Amelia says
This didn’t work for me, it either shows up as just the code (I sent the email to myself) or it just doesn’t show up anything at all. Just a blank email. Have they already blocked it or am I not doing it right? This is what i put as a test:
http://ffp.uku.fi/pics/food/snack-miniburger01.jpg
Amelia says
sorry, i mean this
(script that shows the one darknet window>
Lloyd says
Would this also work for VBScript and not only Java Script?
Dead-SouL says
iam intrested in learning Hacking . can any one teach me .
nico guedes says
Please, i need some help. I live in Lisbon, i´ve 25 years old and i need urgently discover an e-mail password.
someone to help me? It´s very important.
Thanks
Nico
[email protected]
Sakil says
Please help me to find a gmail password
Regards
sakil
Brooklyn says
Hey everybody. if anyone has a couple of minutes to spare, there will be big karma points if i could be pointed in the right direction. i have been using brutus for a while now. i went from a clueless newbie to an accomplished cracker the right way, the hard way, ON MY OWN! but i cant go on with this charade any longer. i have fresh paysite username/passwords anytime i want them but i have yet to figure out the proper protocol to enter them. it has gotten to the point of mad ridiculous because all i do is crack em and move on. i would greatly appreciate some guidance from the “more gifted ones” as i have gone as far as i can in the game without any help. HELP!!! Thank you!
Jai says
hey does this work on firefox ive been tryin for a while but im not sure i know realy what to do i just copied the javascript and pasted it in the email and i sent it to myselfe but do i need to do anything else please someone help me
[email protected]
forbade says
I must agree, this tut. is a wee bit out of date.
but none the less, a starting point.
spy says
anyone who wants to get into a perticular hotmail account email me im sure i can help
[email protected]
spy says
what a tosser it amazes me how many bored assholes there are out there.
what are you doing looking at a page on script injection then dickhead?
must be busting people