About a year ago I remember that there was a quite popular exploit in Hotmail.

You had to send someone an email with in the subject field a javascript command.
First you had to it like this, then they found out and patched it, still leaving a kind of buffer-overflow exploit open, which could be exploited using the same javascript command, but a long one, which caused the buffer to overflow, and at the end there had to be a second javascript command, which was executed. Which worked for a while too.

I believe that one could actually have the passwd of a mailbox mailed to him with this.

Correct me if I'm wrong,

Grtz.