HTML email

W. J. Myles pmmail@rpglink.com
Thu, 11 May 2000 08:38:24 -0400 (EDT) 

Here is another example of the benefits of using HTML email <g>


http://www.zdnet.com/zdnn/stories/news/0,4586,2566839,00.html


==================BEGIN FORWARDED MESSAGE==================

>From ZDNet...Hotmail update

New flaw discovered in MS Hotmail
 
A glitch in Hotmail could have allowed a hacker to tap into a user's 
account and read his or her e-mail. Hole is now closed. 
 
 
By Margaret Kane, ZDNet News
UPDATED May 10, 2000 3:25 PM PT 


A bug watcher has discovered a flaw in Hotmail that could have 
allowed a hacker to tap into a user's account and read his or her e-
mail.

The company quickly moved to close the hole, and similar flaws were 
also discovered in mail programs including Yahoo Mail, USA.net and 
MailExcite.

Bennett Haselton, Webmaster for Peacefire.org, said the Hotmail flaw 
involved sending a user an e-mail with an HTML attachment.
When the  user clicks on the attachment, the file sends a copy of the
user's  cookie to the hacker. 

Once that cookie is received, the hacker can insert it manually into 
the Netscape cookies.txt file and use that authentication key to log 
in to Hotmail as the user. Click here for a description of the trick.

Microsoft Corp. (Nasdaq: MSFT), which owns the Hotmail service, could

not immediately be reached for comment.


Not a 'trivial bug'
Since the cookie does not contain the user's password, the hacker can

only access the account when the user is logged on and as long as the

authentication code is valid. But Haselton said that five minutes 
would be long enough for a hacker with a prepared script to download 
all of a user's e-mail messages.

The trick uses JavaScript to send the cookie. Hotmail filters 
JavaScript in regular e-mail messages but doesn't filter JavaScript 
in HTML attachments.

"It's not a trivial bug that has to do with formatting; it's the 
essential nature of the software," Haselton said. "Hotmail is what 
all the big hunters set their sights on. ... Most of the free e-mail 
services can be broken into, and you find a new way to do it every 
three weeks or so. But it's really scary that hobbyists are the ones 
who are doing this."

Haselton has discovered several bugs in the past, including a 
security flaw in the Eudora e-mail program, and a Netscape exploit 
that allowed Webmasters to view users' bookmarks.


===================END FORWARDED MESSAGE===================