Hotmail JavaScript-in-attachment attack -------------------------------------------------------------------------------- SUMMARY This advisory describes a security hole in Hotmail that allows an intruder to break into someone's Hotmail account by sending that person an email message with an attached HTML file. When the user views the attached HTML file, their cookies in the HotMail.MSN.com domain are intercepted and sent to a hostile site; since the cookies are used for authentication, whoever receives them can then log into Hotmail as that user. NOTE: Hotmail has fixed this issue on the 10th of May/2000, but this hole was open up until that date. DETAILS Hotmail already filter JavaScript from incoming email messages, but they do not filter JavaScript in attached HTML files. To prevent JavaScript in attached HTML files from accessing a user's cookies, the Hotmail server loads the attached file from a URL that begins with an IP address rather than a host name. This is because cookies that are set for a host name or domain name will not be sent to a site that is accessed by its IP address, even if that site is the same as the site that set the cookie. However, it turns out that there are only six different IP addresses that are used to load attached HTML files, and all of them correspond to hostnames that are in the hotmail.msn.com domain: lw3fd.law3.hotmail.msn.com -- 209.185.240.250 lw34fd.law4.hotmail.msn.com -- 216.33.148.250 lw6fd.law6.hotmail.msn.com -- 216.32.240.250 lw7fd.law7.hotmail.msn.com -- 216.33.236.250 lw8fd.law8.hotmail.msn.com -- 216.33.240.250 lw9fd.law9.hotmail.msn.com -- 64.4.8.250 So you can intercept the user's cookies by sending them the attached file "magic-attachment.html" The JavaScript in magic-attachment.html carries out the following steps: 1) Looks at the document.location variable to determine whether the attachment is being viewed at a URL beginning with an IP address or a host name. 2) If document.location begins with an IP address, the script looks up the IP address in the table above and re-directs the user's browser to a new URL identical to the current URL except that the IP address has been replaced with the corresponding host name. 3) If document.location begins with a host name, then the .hotmail.msn.com cookies are sent to the page and can be intercepted by JavaScript code which submits them to a form on Peacefire.org. Fix: As noted above, Hotmail has fixed this vulnerability. ADDITIONAL INFORMATION The information has been provided by:Bennett Haselton. See http://www.peacefire.org for more information. ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.