Microsoft's free Web-based email provider Hotmail says it is working
"feverishly" to fix a security breach that lets malicious JavaScript programmers alter the Hotmail user interface and swipe user passwords.
The problem came to light this morning after networking solutions reseller Specialty Installations posted a demonstration of it on the company's "Because We Can" Web site. That site is dedicated to not-for-profit work that the Canadian company's Web programmers produce.
Dubbed "Hot" Mail, the exploit is an email message containing a so-called "Trojan Horse" that alters the Hotmail user interface. In this altered interface, any
command the user makes yields a bogus Hotmail "time expired" message asking the
user to reenter his or her user name and password.
Once these are entered, the user returns to the standard Hotmail site. But
the user name and password are on their way to the malicious coder, or, in
the case of the demonstration, to Specialty Installations.
JavaScript is a scripting language that Web programmers use to create
things like pop-up windows and forms on a Web page. It is named for, but
otherwise unrelated to, the Java programming language.
"It does appear to work," said Sean Fee, director of product marketing at
Hotmail. "It appears to be a security breach within Hotmail. We are
investigating its feasibility and scope, and we will fix it as quickly as
possible. We have got a pretty significant team here working on this.
Protecting our personal email users and their accounts is of paramount
importance to us."
Written by Specialty Installations Web programmer Tom
Cervenka (identified on the demonstration Web site by his alias, Blue Adept), the exploit takes advantage of the fact that Hotmail permits users to receive
JavaScript code in email messages.
Some free email providers, including Yahoo
Mail, already filter out JavaScript code from incoming messages.
Cervenka is urging Hotmail to implement the same restriction. In the mean
time, he recommends that Hotmail users disable JavaScript in their browsers.
"I can't imagine that I'm the only person who has figured this out,"
Cervenka said. "I wrote this exploit because I wanted to show how dangerous
this situation is if you don't have any kind of JavaScript filtering."
Free said Hotmail was considering a number of options, including the one
Cervenka suggested. He would not specify alternate solutions, but did say
that the company was working on a way to notify Hotmail users of the risk.
Hotmail currently has 22 million active users. Hotmail defines an active
user as one who has used his or her account in the past 120 days.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
