ad info



CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN
 Headline News brief
 news quiz
 daily almanac
  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services
  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account
 DISCUSSION:
 message boards
 chat
 feedback
  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian
 FASTER ACCESS:
 europe
 japan
 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs
 WEB SERVICES:

COMPUTING

Microsoft seals Hotmail security hole

January 6, 2000
Web posted at: 11:37 a.m. EST (1637 GMT)

by Stephanie Sanborn

From...
InfoWorld
Image

(IDG) -- Microsoft has fixed a password-exposing flaw in Hotmail JavaScript filters. The security snafu allowed access to user account passwords by tricking users into re-entering their passwords in a false log-in window.

Using JavaScript commands through an HTML tag in an e-mail message, a fake password log-in display dialog box would pop up, causing unsuspecting users to re-enter their passwords, thinking there had been a log-in problem. Re-entering the password in the fake box would reveal it to the attacker who sent the message.
  QUICKVOTE
Do you use Hotmail?
Yes
No
View Results

 
  MESSAGE BOARD
Microsoft
 

According to Bulgarian programmer Georgi Guninski, who discovered the hole, the Hotmail flaw could be used to fool those using Internet Explorer 4.x, 5.x, and Netscape Communicator 4.x.

Although Hotmail has filters to prevent these JavaScript breaches, the tag used to create the fake log-in window could get through or around those security filters.

"There is no risk associated with JavaScript applets in general, but they aren't appropriate in the particular case of Internet e-mail services like Hotmail," according to a statement from Microsoft. "In this case, the vulnerability provided a way to circumvent the restriction. Now that Microsoft has implemented a fix, this possibility no longer exists."

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page

Microsoft's statement added that there is no evidence suggesting any Hotmail users were affected, and the flaw has been fixed so that users need not disable their browsers' JavaScript options.


RELATED STORIES:
Two glitches hit Microsoft Internet services as New Year rolls over
January 3, 2000
Taking AIM: Microsoft updates MSN Messenger
December 9, 1999
Privacy groups ask FTC to close e-mail loophole
December 6, 1999
RELATED IDG.net STORIES:
Two Y2K glitches hit Microsoft Internet services
(InfoWorld.com)
Hotmail users shut out due to Microsoft oversight
(Network World)
Users refute Microsoft’s Hotmail claims
(Computerworld Hong Kong)
Hotmail users spreading viruses, ISP says
(Computerworld Australia)
Microsoft adds three new language versions to MSN Hotmail
(InfoWorld.com)
Microsoft: Bad security, or bad press?
(IDG.net)
Here's How - Hot for Hotmail
(PC World)
Year 2000 World
(Year 2000 World)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
RELATED SITES:
Hotmail
Microsoft
Microsoft Online Network
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help
Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.