AT&T Tech Support 360
May 6, 1999 1:55 PM PDT
Malicious hacker steals Hotmail passwords
- Related Stories
-
Microsoft gives Hotmail a facelift
April 7, 1999 -
Cookies cap Hotmail security hole
March 19, 1999 -
Free email comes at a price
March 1, 1999 -
Web email bug bites the Net
February 4, 1999
Microsoft's MSN Hotmail said it has implemented a patch to thwart a JavaScript exploit that snared the passwords of about ten users. Although Hotmail has faced numerous similar exploits in the past, they were merely demonstrations crafted by security-minded programmers anxious to expose security holes before they were exploited for real.
This one appears to be the first known instance in which users actually lost their Hotmail passwords.
"We're not aware of any [previous] passwords successfully stolen in this type of exploit," said Hotmail product manager Laura Norman.
The Trojan horse password-stealing scheme involved an emailed attachment with a Web page link. A script running on the attacker's Web page then negotiated a request to change the password with the Hotmail server, locking the user out of the account and giving the attacker access to it.
Hotmail was not more specific on the mechanics of the script or how the hole was patched. Norman did say Hotmail would step up its education efforts to users regarding the safety of opening attachments.
"We are increasing our messaging to users about only opening attachments from trusted sources," she said.
Trojan horses consist of executable content that acts in a way other than the user expects it to. JavaScript is a scripting language developed by Netscape Communications for authoring Web site actions that do not require user interaction; pop-up windows, for instance, are commonly authored with JavaScript. JavaScript is unrelated to Java, Sun Microsystems' platform-independent computer programming language.
JavaScript has been the tool of choice for numerous bug hunters and hackers because of its ability to carry out actions on the user's computer without his or her consent or knowledge. For this reason, many security-conscious Web surfers disable the technology when surfing the Web.
The perpetrator's Web site was hosted by free home page provider Tripod, which is owned by Lycos. Norman said that Tripod was "very cooperative," but she declined to state whether the firms were taking action against the password thief.
- they just stole my hotmail account and ebay account
- on the 22 of july someone broke into my hotmail account and ebay account. thank god ebay was on the ball and shut them down before any damage could be done. i've since regained ebay but i cant get my hotmail back or get any help online or over the phone to regain my hotmail account. i keep getting the run around every where i go.
- Reply to this comment
