Hotmail flaw allows attackers to exfiltrate emails
Posted on 24 May 2011.
The analysis of a recent targeted attack against webmail users has led Trend Micro researchers to discover a vulnerability in Microsoft's Hotmail webmail service that allowed attackers to siphon contact details and email messages from the victims' accounts.

To trigger the attack, the victim wasn't required to click on a link or download and execute an attachment - simply opening the message would do the trick and a script embedded in the email would automatically be executed.

The script would then connect to http://www.{BLOCKED}{user account name}{number} to download yet another script.

"The nature of the said URL strongly suggests that the attack is targeted," say the researchers. "The URL contains two variablesó{user account name}, which is the target userís Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as weíve found that the information theft routines are only executed when certain numbers are in the {number} field.

This second script takes advantage of a script or a CSS filtering mechanism flaw present in Hotmail to send out a request to the server that makes it forward all the stored emails to a predefined email address belonging to the attackers.

The good news is that once the user logs out (i.e. terminates the session) the email forwarding stops. Another good news is that Microsoft has been apprised of the situation and has already implemented a patch for the flaw.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th