[WEB4LIB] Re: hotmail security hole

rhiebert at sd6.bc.ca rhiebert at sd6.bc.ca
Mon Jun 5 12:07:39 EDT 2000 

Hello Andrew,

It might be, but the process I overheard (described in convincing detail --
which, alas, I can't remember) was not this complex.

I found that sight a few minutes ago and they have a tool there for showing the
cookies that accompany a hotmail email. I tried it out; it seems to work and
revealed nothing sinister.

Thanks for your assistance.

Regards,
Robert

Robert Hiebert
Librarian, Golden Secondary School
www.sd6.bc.ca/gss/library/
Fax: 250 344 7116
rhiebert at sd6.bc.ca


|--------+---------------------------->
|        |          Andrew Mutch      |
|        |          <amutch at waterford.|
|        |          lib.mi.us>        |
|        |                            |
|        |          06/05/2000 09:13  |
|        |          AM                |
|        |          Please respond to |
|        |          amutch            |
|        |                            |
|--------+---------------------------->
  >--------------------------------------------------------|
  |                                                        |
  |       To:     Multiple recipients of list              |
  |       <web4lib at webjunction.org>                   |
  |       cc:     (bcc: Robert Hiebert/SD6)                |
  |       Subject:     [WEB4LIB] Re: hotmail security hole |
  >--------------------------------------------------------|





Robert,

You might have been hearing about this:

"This page describes a security hole in HotMail that allows an intruder to break
into someone's HotMail account by sending that person an email message with an
attached HTML file. When the user views the attached HTML file, their cookies in
the HotMail.MSN.com domain are intercepted and sent to a hostile site; since
the cookies are used for authentication, whoever receives them can then log into
HotMail as that user."
See:
http://www.peacefire.org/security/hmattach/

This vulnerability has been fixed by Hotmail.

Andrew Mutch
Library System Technician
Waterford Township Public Library
Waterford, MI

rhiebert at sd6.bc.ca wrote:

> Hello,
>
> I'm in a grade 8 to 12 high school. I overheard a student say that by sending
> himself an email using hotmail with a school computer, he could look at the
> cookie and find out our school's dialup number (which we don't have since we
> have a direct connection) and password. Our workstations run Win95 on an NT
> server. We use Netscape 4.7x (but IE is available).
>
> I've signed up for a hotmail account and am trying to duplicate what he said,
> but I'm getting nowhere. Any help would be appreciated.
>
> Regards,
> Robert
>
> Robert Hiebert
> Librarian, Golden Secondary School
> www.sd6.bc.ca/gss/library/
> Fax: 250 344 7116
> rhiebert at sd6.bc.ca

More information about the Web4lib mailing list