ID:IRCNE2011051121
Date: May 25, 2011
Vulnerability in Microsoft's website gave hackers a way to read and steal e-mail messages from Hotmail users. According to security vendor Trend Micro, hackers sent specially crafted e-mail messages to several thousand victims.
On May 12, Trend Micro found an email sent to a victim in Taiwan that looked like a Facebook notification alert. This message seemed to be a warning from Facebook that claimed someone had accessed the victims' accounts from a new location, but in fact, it was a scam.
The e-mail message contained a script that forwarded the victim's e-mail messages to the hacker.
The attack would be successful if the victim had logged into his Hotmail account, and the script would run even if the victim simply previewed the message. The attack worked thanks to a common Web programming error in Microsoft's website called a cross-site scripting flaw.
Cross-site scripting flaws are common on the Web, but they're rare in important, widely used websites such as Windows Live Hotmail.
Trend Micro reported the issue to Microsoft immediately, and it was finally fixed on Friday, according to Microsoft. It's not clear how many Hotmail users were hit by the attack.
According to Trend Micro, the attack doesn't seem to have been widespread. The company was able to count between 1,000 and 2,000 victims after discovering the issue, said Jamz Yaneza, a Trend Micro research manager. However, Trend Micro has no way of knowing how long the flaw was there before it was uncovered, he added.
- 2