[WEB4LIB] hotmail security hole
Andrew Mutch
amutch at waterford.lib.mi.us
Mon Jun 5 11:20:06 EDT 2000
Robert,
You might have been hearing about this:
"This page describes a security hole in HotMail that allows an intruder to break
into someone's HotMail account by sending that person an email message with an
attached HTML file. When the user views the attached HTML file, their cookies in
the HotMail.MSN.com domain are intercepted and sent to a hostile site; since
the cookies are used for authentication, whoever receives them can then log into
HotMail as that user."
See:
http://www.peacefire.org/security/hmattach/
This vulnerability has been fixed by Hotmail.
Andrew Mutch
Library System Technician
Waterford Township Public Library
Waterford, MI
rhiebert at sd6.bc.ca wrote:
> Hello,
>
> I'm in a grade 8 to 12 high school. I overheard a student say that by sending
> himself an email using hotmail with a school computer, he could look at the
> cookie and find out our school's dialup number (which we don't have since we
> have a direct connection) and password. Our workstations run Win95 on an NT
> server. We use Netscape 4.7x (but IE is available).
>
> I've signed up for a hotmail account and am trying to duplicate what he said,
> but I'm getting nowhere. Any help would be appreciated.
>
> Regards,
> Robert
>
> Robert Hiebert
> Librarian, Golden Secondary School
> www.sd6.bc.ca/gss/library/
> Fax: 250 344 7116
> rhiebert at sd6.bc.ca
More information about the Web4lib
mailing list