Bugtraq mailing list archives
Re: New exploit can freeze web browsers!
From: Marc Slemko <marcs () ZNEP COM>
Date: Mon, 14 Aug 2000 12:30:24 -0600
On Fri, 11 Aug 2000, Michael Wheaton wrote:
Everyone wants to freeze someone's computer when they read an e-mail, right? Hotmail has put their security way up but still Yahoo!Mail and hundreds of others can be used to freeze a person's computer easily! As you know, JavaScript can be used to execute functions on a person's computer without their permission to do so. A while ago you used to be able to execute JavaScript on HotMail but they've completely removed that possibility for now. JavaScript has been blocked out of many other popular e-mail programs but I have discovered a method to get past this.
There is nothing new about this, and in general freezing their computer isn't too entertaining. The more useful (and annoying to the user) stuff is when you steal their web based email account. You can still execute arbitrary javascript on a majority of user's browsers on a vast majority of web based email services, including hotmail, yahoo mail, etc. All it takes is being a little crafty with the HTML, perhaps including exploiting browser specific issues like IE's bug where it will treat "java\000script" like "javascript", where \000 is a null character. Until these companies get over the misconception that they have any hope of filtering only "bad" HTML out of messages, this will continue to be an issue. Hotmail has been vulnerable to such attacks 100% of the time since it was started, people just haven't found it interesting enough to keep finding the next way to work around their filters or they haven't kept posting them. Combine this with poor use of cookies from a security standpoint and the requirement of many web based email services that you have javascript enabled just to use the service... and you leave yourself wide open. The task that lies in front of providers of web based email is to add a safe mode, that may or may not be enabled by default, that does not allow HTML to be interpreted in messages at all. Then they can also have a mode where a specific subset of HTML is permitted, and everything else is denied. Then they have a last resort mode that lets you read a message with everything except what they think is "unsafe" markup passed through, that you can use for a particular message if you have cause to. As long as hotmail continues along its current path of "we think we can filter out the bad stuff", they will always be vulnerable. Period. Sure, I could include yet another example of a hotmail exploit. But what is the point?
Current thread:
- New exploit can freeze web browsers! Michael Wheaton (Aug 14)
- Re: New exploit can freeze web browsers! Marc Slemko (Aug 15)