[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hotmail security hole - injecting JavaScript using <IMG
[ Part 1, Text/PLAIN 79 lines. ]
[ Unable to print this part. ]
I have tested the code included in Georgi's email an it seems that
Yahoo's web-based email is also vulnerable.
solutions: disable JS
Kevin Hecht <khecht19@IDT.NET> wrote:
Georgi Guninski wrote:
>
> Georgi Guninski security advisory #1, 2000
>
> Hotmail security hole - injecting JavaScript using >
LOWSRC="javascript:....">
>
> Disclaimer:
> The opinions expressed in this advisory and program are my
own and not
> of any company.
> The usual standard disclaimer applies, especially the fact
that Georgi
> Guninski is not liable for any damages caused by direct or
indirect use
> of the information or functionality provided by this
program.
> Georgi Guninski, bears NO responsibility for content or
misuse of this
> program or any derivatives thereof.
>
> Description:
> Hotmail allows executing JavaScript code in email messages
using > LOWSRC="javascript:....">,
> which may compromise user's Hotmail mailbox.
>
> Details:
> There is a major security flaw in Hotmail which allows
injecting and
> executing JavaScript code in an email message using the
javascript
> protocol. This exploit works both on Internet Explorer 5.x
(almost sure
> IE 4.x) and Netscape Communicator 4.x.
> Hotmail filters the "javascript:" protocol for security
reasons.
> But the following JavaScript is executed: >
LOWSRC="javascript:alert('Javascript is executed')"> if the
user has
> enabled automatically loading of images (most users have).
>
> Executing JavaScript when the user opens Hotmail email
message allows
> for example displaying a fake login screen where the user
enters his
> password which is then stolen.
> I don't want to make a scary demonstration, but it is also
possible to
> read user's messages, to send messages from user's name and
doing other
> mischief.
> It is also possible to get the cookie from Hotmail, which
is dangerous.
> Hotmail deliberately escapes all JavaScri pt (it can
escape) to prevent
> such attacks, but obviously there are holes.
> It is much easier to exploit this vulnerability if the user
uses
> Internet Explorer 5.x
>
> Workaround: Disable JavaScript
>
> The code that must be included in HTML email message is:
> --------------------------------------------------------
>[IMAGE]
> --------------------------------------------------------
>
> Regards,
> Georgi Guninski
> http://www.nat.bg/~joro
A quick check of the Messenger Express web client built into
Netscape
Messaging Server 4.1 at one of my sites seems to indicate
that it may be
vulnerable as well, as the code above works fine so long as
the browser
has JS enabled. However, it doesn't use cookies much if at
all, so the
cookie capture risk is lower though it seems plausible that
the social
engineering attacks remain a threat.
While Hotmail obviously has a filtering hole, should the
browser
manufacturers be on the hook here as well, given that
javascript: URLs
probably shouldn't be rendered at all by the[IMAGE] tag?
While a
JavaScript script may load an image on its own, I don't see
why the
script itself should be loaded and parsed from an[IMAGE] tag.
--
Kevin Hecht - http://idt.net/~khecht19/
"I am an optimist. It does not seem too
much use being anything else." - Winston Churchill
________________________________________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
|
