Results 1 to 4 of 4

Thread: Yahoo, Hotmail Open to Attack

  1. #1
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Huson Mt.

    Yahoo, Hotmail Open to Attack

    Again, or still, security flaws open your online mail accounts to exploits.

    The vulnerability was discovered in an Internet Explorer feature used to process extensions to HTML called HTML + TIME. The security hole could allow attackers to steal log-in and password information, or browse the contents of an e-mail account, according to an advisory released by GreyMagic Software.
    The company tested the vulnerability against Yahoo and Hotmail, but it could affect other e-mail services, GreyMagic said.
    Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with support for HTML + TIME, makes it possible to inject malicious script into incoming e-mail messages, GreyMagic said
    They are using a flaw in IE, but I am wondering if other browsers could be exploited in the same way.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  2. #2
    hehe, now whenever somebody asks how to hack Hotmail, to go read the news. That is why I never send anything important via email.

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    South Florida
    Yep, from my email group

    GreyMagic Security Advisory GM#005-MC

    By GreyMagic Software, Israel.
    23 Mar 2004.

    Topic: Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo.

    Discovery date: 06 Mar 2004.

    Affected applications:

    * Hotmail web-based email service (when used with IE).
    * Yahoo web-based email service (when used with IE).

    Note that many other web-based services may be vulnerable to this method of
    exploitation, as it is a completely new way to embed script.


    Both Hotmail and Yahoo make tremendous efforts to sanitize incoming emails
    from potentially unsafe HTML content. Flawed filtering of such unsafe
    content may result in severe consequences that would occur as soon as a user
    opens an email for reading, including:

    * Theft of login and password.
    * Content disclosure of any email in the mailbox.
    * Automatically send emails from the mailbox.
    * Exploitation of known vulnerabilities in the browser to access the user's
    file system and eventually take over the machine.
    * Distribution of a web-based email worm.
    * Disclosure of all contacts within the address book.


    GreyMagic devised a method to inject such arbitrary (potentially malicious)
    content to a Yahoo or Hotmail email message. The method is not limited to
    Hotmail and Yahoo alone though, it may apply to other web-based services
    that attempt to filter HTML input.

    The vulnerability makes use of an Internet Explorer technology called
    HTML+TIME (based on SMIL), which is meant to add timing and media
    synchronization support to HTML pages.

    One of the features included in HTML+TIME is the ability to manipulate any
    attribute on an element via special control elements. For example, the
    <t:set> element exposes the attributes "attributeName" and "to", which make
    it possible to inject ANY HTML content to the document when "attributeName"
    is set to "innerHTML" and "to" is set to any HTML the attacker would like to
    execute, including script.


    For the HTML+TIME module to be activated, the document must fulfill two
    requirements. It must declare the designated namespace and it must bind the
    namespace to the HTML+TIME behavior implementation.

    In order to fulfill the first requirement it is usually necessary to be able
    to access the <html> element, with the syntax <html
    xmlns:t="urn:schemas-microsoft-com:time">. However, Hotmail completely
    filters out that element, so another method of namespace declaration is
    needed. It so happens that Internet Explorer provides one other mechanism to
    declare a namespace, via the non-standard <?xml:namespace> processing
    instruction, which may be used anywhere in the document and does not get

    The second requirement usually involves the use of the CSS "behavior"
    property, with the syntax "behavior:url(#default#time)". However, Hotmail
    blocks all instances of "url(...)" in the incoming mail, so another way to
    bind the behavior must be used. It comes in the form of the <?import>
    element, which was added in Internet Explorer 5.5 and enables namespace to
    implementation binding.

    So after evading all filters, the final code looks like this:

    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time" />
    <?import namespace="t" implementation="#default#time2">
    Optional text here...
    <t:set attributeName="innerHTML" to="<script
    defer>alert()</script>A" />


    We put together a proof of concept demonstration, which can be found at
    Removed for security reasons


    GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They
    have quickly confirmed our findings and were able to produce a fix less than
    two days later. As a result, Hotmail is no longer vulnerable to this method
    of exploitation.

    All attempts to contact Yahoo unfortunately failed. Mail was sent to
    security and secure at and at, no replies were
    received to date.

    Tested on:



    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    GreyMagic Software is not liable for any direct or indirect damages caused
    as a result of using the information or demonstrations provided in any part
    of this advisory.

    - Copyright © 2004 GreyMagic Software.

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    I think that this is a very important post, not for the information about the exploit, but for the information that comes behind it. Microsoft responded and solved the problem in Hotmail is less than 48 hours.

    Source: xmaddness/VulnWatch
    GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
    Where as Yahoo has still not fixed the problem, nor have they even commented on the subject

    However, Yahoo users and other users of Web-based e-mail services could be vulnerable to attack via the security hole, GreyMagic said.

    Yahoo could not be reached for comment.
    I think this proves a point about Microsoft at least taking people seriously and listening to it. They fixed the problem fairly quickly.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts