Hotmail flaw allows attackers to exfiltrate emails
Posted on 24 May 2011.
The analysis of a recent targeted attack against webmail users has led Trend Micro researchers to discover a vulnerability in Microsoft's Hotmail webmail service that allowed attackers to siphon contact details and email messages from the victims' accounts.

To trigger the attack, the victim wasn't required to click on a link or download and execute an attachment - simply opening the message would do the trick and a script embedded in the email would automatically be executed.

The script would then connect to http://www.{BLOCKED}{user account name}{number} to download yet another script.

"The nature of the said URL strongly suggests that the attack is targeted," say the researchers. "The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

This second script takes advantage of a script or a CSS filtering mechanism flaw present in Hotmail to send out a request to the server that makes it forward all the stored emails to a predefined email address belonging to the attackers.

The good news is that once the user logs out (i.e. terminates the session) the email forwarding stops. Another good news is that Microsoft has been apprised of the situation and has already implemented a patch for the flaw.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th