Feeds

Hotmail users exposed to cookie snaffling exploit

Peril

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

A cookie manipulation exploit that created a possible means for hackers to break into Hotmail accounts forced Microsoft into pulling a portion of its website last weekend.

The exploitable page - http://ilovemessenger.msn.com - has been updated to remove a cross site scripting flaw that was the subject of the exploit. But Alex de Vries, the Dutch security enthusiast who discovered the trick, warns that other portions of MSN's site are still vulnerable.

The exploit works in three stages. Hackers use security loopholes to inject hostile code onto MSN's web site. Hackers can then harvest Hotmail cookies from surfers redirected to this contaminated page by taking advantage of the use of Hotmail cookies across the MSN.com domain. Once hackers have a victim's cookie they can use tools to trick Hotmail into thinking they already logged on as this user.

The security flap comes days after Microsoft confessed its South Korean MSN Web site was the target of a hacking attack. Hackers succeeded in loading malicious code onto the site at part of an attack designed to steal passwords for Lineage, an on-line game popular in east Asia.

Microsoft declined our repeated requests to comment on the security of MSN Hotmail in light of de Vries's research. ®

Related stories

Online gamers targeted in Korean MSN hack attack
MS UK 0wn3d by hackers. Again
MS Passport cracked with Hotmail
Hotmail vulnerable to JavaScript exploit
Hacking Hotmail made easy

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.