Another Hole in Hotmail

Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).

Hotmail did.

I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.

This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.

But then again, I rarely. So who. Well!

Re:you missed the point

The point was that people don't read the dialog.

Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla ;), but normally it is not what you want. The point of the poster you replied to was that the user doesn't need to know that formatting is bad and thus you don't know for sure 1 out of 3 users don't read dialog boxes.

Thimo
--

it's not a microsoft bug per se...

This is an embedded javascript exploit, just like some of the earlier exploits (not VBS as described above by CT). Hotmail is filtering out javascript within the bodies of e-mail, but not attached html files. They could remedy this by either filtering attached html files (not so easy to do) or by offloading the attachments to be read from a seperate server outside the *.hotmail.com domain (my recommendation).

Here's an awesome story [wired.com] about another risk of using web-based e-mail. It describes how your IP address could be identified if the sender attaches an IMG tag to the e-mail and then watches the web server log for when you read the mail and your browser requests the image from her server. Clever.

Seth

Security Hole Discovered At Slashdot!

Here's the exploit:

1) Find a story about technology (if your name is "Katz" this step is unneeded)
2) Skim the headline of said story to "get the gist".
3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.

For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.

What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

A Brief Explanation for the lazy

How this seems to work is that someone emails you an HTML file as an attachment.

If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.

These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.

It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.

Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.

-Ciaran

I can't resist...someone has to say it.

C is for cookie, that's good enough for me!

Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>

Formatting the same as erasing?

Your post underscores the fact that many technical people have forgotton the original meaning of the words they use. It's really a shame.

To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?

When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.

If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.

Social Engineering is easier

I've seen websites that claim to give people access to anyone's Hotmail account. All you have to do is send an e-mail to a particular address that looks valid (something like account-password@hotmail.com) and give them the login of the person whose acct you want to get into, as well as your own login and password.

I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.

Re:The intelligence of a typical computer user

A lot of people run programs from strangers; the press and computer industry don't do a good enough job of educating people about these things.

I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.

IMG tags in emails...

Oh, yes. I've actually suggested we do something similar at our company. We send out HTML emails to our customers. The URL in the IMG tag doesn't have to be an image at all--it can be a CGI page which redirects to an image. Throw a couple of parameters (like a user-id) into the URL, and the CGI page can record exactly when users open the email. Nifty, eh? I never thought of capturing the IP address directly (not something we're interested in) but it would obviously be possible.

Wonder if this could be exploited further?

You'd be surprised.

I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..

Dealing with human tendencies

This reminds me of something I heard a long time ago that has to do with human tendencies:

"If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."

You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
--

not just hotmail...

remember the CERT advisory [slashdot.org] in february about untrusted people being able to make it seem like javascript code came from a trusted website? i was wondering when someone would start exploiting this seriously. almost every site with dynamic content that isn't completely controlled by the site's owner is vulnerable to similar attacks.

the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.

--

Hooray for Javascript

It doesn't actually do many of the horrible things associated with the ILOVEYOU crap, but it will let someone else commandeer your hotmail account.

A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.

Re:Formatting the same as erasing?

But that's beside the point. The fact that it re-initializes the directory structure and allocation tables is nowhere near as big of an issue as the fact that it erases all data on the drive!!!!

Usually it doesn't actually. The data is still there but inaccessable because the OS just reset the allocation tables. You're not really losing the data, you're losing the ability to access the data in the intended mannor, its a byproduct.

Dos even had an "unformat" command.

-- iCEBaLM

File extensions

What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
(Win98 may default to this too, I don't remember)

I suspect lots of nongeeks leave it at the default...

Wow

Another grammatically fascinating post by CmdrTaco, and another administratively fascinating event in the history of Microsoftified Hotmail.

I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?

Re:question about the above statement

It's not the grammar that bothers me, so much as the inaccuracy of the summary. It isn't a VBS attachment that causes the problem, but rather a plain HTML attachment with embedded javascript. Even in a world of "intelligent" users, HTML is expected to be a "safer" document format, rather than "dangerous" executable code.

I think there're a number of people you could assign the blame to, but no one entity that's "fully stupid". Users should be more careful, Hotmail should attempt some filtering, but most importantly the w3c should provide a means of denoting "third-party" HTML (and other documents) that appears to be from the server, but in reality was placed there by someone else (such as an attachment to an email or a comment in a message board that doesn't restrict HTML).

The acutal nature of the Hotmail hole

Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:

The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.

Ironically, this information is largely reproduced from the article on Peacefire [peacefire.org] cited in the original post. No mention of VBS files anywhere.