Hotmail Exploit Has Been Silently Stealing E-mail

We haven’t reported a whole lot about Hotmail over the years, probably because since Gmail took over – Hotmail has mostly taken a backseat.

The most recent report we had was about SSL and how Hotmail Always-On Encryption Breaks Microsoft’s Own Apps.

The latest news is there has been a nasty bug in Hotmail for a while that has been actively exploited allowing malicious senders to snoop on e-mail and even add forwarding rules to the victim account.

Microsoft has patched a bug in its Hotmail email service that attackers were exploiting to silently steal confidential correspondences and user contacts from unsuspecting victims.

The vulnerability was actively being exploited using emails that contained malicious scripts, Trend Micro researcher Karl Dominguez said Monday. Successful attacks required only that a Hotmail user open the malicious email or view it in a preview window. The commands embedded in the emails uploaded users’ correspondences and user contacts to servers under the control of attackers without requiring the victim to click on links or otherwise take any action.

The scripts also also had the capability of enabling email forwarding on the targeted Hotmail account, allowing attackers to view emails sent to the victim in the future.

Trend Micro researchers learned of the in-the-wild attacks after a colleague in Taiwan received one of the booby-trapped emails. The email purported to be a security warning concerning the victim’s Facebook account.

This attack has been going on in the wild for at least 2-3 weeks – that’s the confirmed time frame anyway. It may have been going on for much longer than that, no one really knows.

Microsoft isn’t telling us anything, nothing at all? I’d personally like to know how many users/accounts were effected? Have they notified these users? What exactly are they doing to mitigate the loss of personal data and so on.

I wonder if this will get legal like the whole Sony case that’s blowing up right now, I’d guess not as Hotmail users tend to a less Internet savvy kind of crowd. I mean seriously how many of you guys/gals use Hotmail as your primary account? I’d guess probably none.

Most of you probably have a Hotmail account but use it as a secondary/tertiary account for signing up to forums etc and spam.

Trend first disclosed the bug on May 13. Monday’s blog post said Microsoft has since plugged the hole, which resided in CSS, or cascading style sheet functionality, but didn’t say when.

“The attack takes advantage of a script or CSS filtering mechanism bug in Hotmail,” Dominguez wrote. “Microsoft has already taken action and updated Hotmail to fix the said bug.”

The vulnerable code helped inject a character into a Hotmail filtering mechanism that changed the way it behaved. The result was a platform that ran arbitrary commands in a user’s Hotmail login session.

It’s unclear how many Hotmail users may have been affected by the exploits and whether Microsoft has adequately warned users they may have been compromised. Microsoft spokesman Bryan Nairn wouldn’t say how many subscribers were targeted or when the patch was put in place

Microsoft claims they have fixed the bug but that’s really all they are saying, they aren’t saying when the knew about the problem or when it was patched – just that right now it is fixed.

You can read the May 13th blog post by Trend Micro here:

Targeted Attack Exposes Risk of Checking Personal Email at Work

And their later, more detailed post here:

Trend Micro Researchers Identify Vulnerability in Hotmail

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking


Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

7 Responses to Hotmail Exploit Has Been Silently Stealing E-mail

  1. kurt wismer May 24, 2011 at 7:01 pm #

    on the question of who uses hotmail as their primary account, it’s worth noting that some organizations outsource their email to hotmail – and not just small companies but even major internet service providers.

    bell canada, one half of the isp duopoly in canada (under the brand name sympatico), have off-loaded their email service into the hands of hotmail. even though the addresses have a domain, you log into the webmail interface through microsoft’s service.

    as such, there’s probably a lot more people using hotmail than anyone realizes (because because bell canada is probably not unique in this regard).

    • Darknet May 25, 2011 at 7:50 am #

      Very valid point you have there kurt. But then again how many people really use ISP allocated accounts? No doubt there is a lot of them, but are people really using them?

  2. Somebody May 25, 2011 at 7:49 am #

    What a motherfucking load of crap, just another reason not to use microfuck

    • Everyone Else May 26, 2011 at 2:38 pm #

      Wow. Very constructive feedback, Somebody. That was helpful.

  3. NNM May 27, 2011 at 12:32 pm #

    I still feel that hotmail is safer than gmail, yahoo, or any other free web based service.
    Maybe a false sense of security… But I still trust Microsoft. (And over the last year, I’ve lost ALL trust in google. They are evil..)
    I get almost no spam at all on most hotmail accounts, except those created for the purose of signing up to things I don’t trust.

    And I don’t believe this can be compared to Sony. Not at all. You don’t give your credit card info to hotmail. No personal information either. And it’s free. And I’m pretty sure the situation is described in the terms of use, even though I don’t remember any of it.

    • brad May 27, 2011 at 4:50 pm #

      1) Why exactly have you a reason to think hotmail is more secure than gmail/yahoo?

      2) So you only get spam on the accounts you use for things that could get you spammed……. and then make a connection between this and the difference between gmail and hotmail how?

      3) Are you kidding? No personal info in email?

      4) Are you kidding? Remember it? How did you ever manage to read it?

  4. brad May 27, 2011 at 3:42 pm #


    CSS you say? I think I know exactly what the hack is then! It’s one which pretty much every website which allows style attributes is vulnerable to right now. The irony is, it is really only IE that can be hit by it.