June 6, 2005 5:53 PM PDT

MSN flaw put Hotmail accounts at risk

Microsoft took part of its MSN Web site offline over the weekend, after it learned of a flaw that could let an attacker gain access to Hotmail accounts, the company said.

The MSN Web site, http://ilovemessenger.msn.com/, contained a so-called cross-site scripting flaw, a Microsoft representative said on Monday. In its initial review of the issue, the company found that an attacker could use the vulnerability to obtain "cookies" from Hotmail users by getting them to click on a malicious URL. That could then grant access to those e-mail accounts, the representative said.

Cookies are small files stored on a computer that contain user data. Hotmail is one of the world's most popular Web-based e-mail services, with more than 200 million active accounts, according to Microsoft.

Microsoft's acknowledgement of the Hotmail issue comes after the security hole was disclosed on Saturday by Alex de Vries, a Dutch programmer, on the Net-Force Web site for security enthusiasts.

Cross-site scripting flaws are errors in Web site design, not in Web browsers, and were discovered more than five years ago. Microsoft has described the flaws as serious security vulnerabilities.

Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' Web site has been disabled," the company representative said in an e-mail statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft's free instant messaging service, will be restored once the issue has been resolved, the company said. On Monday afternoon PT, the I Love Messenger Web address was redirecting users to the main MSN Messenger Web site.

The Hotmail and MSN flap comes within a week after Microsoft acknowledged that its South Korean MSN Web site had been hacked. Attackers placed malicious software on the news section of MSN Korea in an attempt to steal passwords for "Lineage," a popular online game in Asia.


Join the conversation!
Add your comment
It's Microsoft!
from the company that created the security riddled operating
system Windows, comes the i love messenger website!

Did we really think that the people who brought us windows would
bring us a website without a security flaw? *giggles*
Posted by dlmtechnology (20 comments )
Reply Link Flag
CNET Missed Major Story About Hotmail
CNET's reporter must be brain dead to miss the real story which is that Microsoft disabled Outlook Express access to Hotmail starting late last week even for paid up customers to premium accounts. The service still isn't fully restored. Check out Usenet forums under Microsoft's newsgroup for Outlook Express to see the message traffic.
Posted by djysrv (15 comments )
Reply Link Flag
WebDAV ("outlook Express support") is still working!
WebDAV ("outlook Express support") is still working!

I have my (free) Hotmail account polled hourly, and there's no problem except the usual occasional connection failures (an average of one failure every three days in the past year). Just a minute ago it worked!
Posted by hadaso (468 comments )
Link Flag
Hotmail and Outlook Express
I have had hotmail since day 1 back in 1991 / 1992. And Outlook Express since day 1 also.

I was really pissed that Microsoft kept a 1meg limit to e-mails and was ready to move to GMAIL when they suddenly increased my limit to 250MB.

Now they have discontinued supporting Hotmail in Outlook Express for free accounts.

Microsoft just seems to be making bad decisions daily.

They just made my decision to move to GMAIL !!

Asta la vista microsoft.
Posted by ratanlal (1 comment )
Reply Link Flag
Message has been deleted.
Posted by ithinkmydadzgonecrazy (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.