Re: Top Ten Web App Sec Problems

[Marc Slemko <marcs () znep com>]

On Mon, 2 Dec 2002, Kevin Spett wrote:

> There have been a number of publicized Hotmail problems that were being
> exploited.  This was back when you could send scripted content in an email
> message and it would get executed.  You would open your mail, it'd pop up a
> window saying "Oh, I'm sorry you'll have to log in again" or something.

Hotmail is a great example because it combines two key elements:

1. poorly implemented, widely deployed (compared to others) single
signon system

2. easy attack vector (email to a hotmail account... easy to do
both mass and targeted attacks, you are kidding yourself if you
think there are no more holes in hotmail's HTML filters)

This makes all sorts of combinations of circumstance ripe for
exploitation.  For example, if someone logs into their MSN messenger
account, follows the link to view their hotmail inbox, then reads your
message you can steal any credit cards in their passport wallet (or
MSN wallet, which is what they are replacing passport wallet with...
little difference in this regard).

Obviously this is just one particular scenario (and a tired old
one at that), and requires the combination of a couple of cross
site scripting holes plus a few key design problems in passport,
but the possibilities are nearly limitless and the number of possible
interactions between sites using the SSO system grows exponentially
as the number of sites using the SSO increases.

Yup, this is an almost identical scenario to the one I publicized
last year.  The more things change the more they stay the same.