- Related Stories
-
Child privacy law locks out some Hotmail members
April 27, 2000 -
Microsoft fixes Hotmail forwarding glitch
March 28, 2000 -
Microsoft tackles Web email breach
March 17, 2000 -
Microsoft patches Hotmail hole
January 4, 2000 -
Hotmail bug allows password theft
September 22, 1999 -
Hotmail bug bites again
September 13, 1999 -
Free email's pest problem
August 31, 1998
The exploit was the latest in a series devised by bug hunters using JavaScript to launch fraudulent password entry screens to trick people into handing over control of their accounts.
JavaScript is a Web scripting language designed to take actions on a Web site visitor's computer, such as launching a new window or scrolling text across the screen, without the visitor's interaction. After the first few password-stealing schemes came to light, Hotmail and other Web email providers decided to filter JavaScript from incoming messages.
But bug hunters have kept themselves busy finding ways to sneak the code around Hotmail's filters.
In the example addressed by Hotmail this week, Bulgarian bug hunter Georgi Guninski demonstrated a way to inject JavaScript through a style tag. The exploit worked only with Microsoft's Internet Explorer browser.
In response to news of the bug, Microsoft this week patched the Hotmail servers.
