What's in an email message, outside of a quick note, a reminder from Mom, or an annoying slab of spam?
If the message is coming through the Web-based email service Hotmail, it could contain a Trojan horse ready to release your account information to an intruder.
Tom Cervenka, a Web programmer at Canadian Specialty Installations, spent last week working on some clever coding to send to his Hotmail account. It tells users account access has been timed out and that they need to re-enter their account and password information.
When the user clicks the button to resubmit the information, the account ID and password are sent to the email address included in the JavaScript.
If successful, his code would tell users their account access had been "timed out" and that the user needed to re-enter their account and password information. At that point, the code, in the form of JavaScript, would use standard mail protocols to send the account data to any email address. His trick worked.
"I found out I could send myself a message that could contain JavaScript code. The code could go and alter the Hotmail user interface itself," Cervenka said. "Pretty much once you view the code [in the email message], it starts reading ... and the damage is done."
The JavaScript applet in question was capable of altering the HTML-based interface of Hotmail's inbox, its outbox, and its message controls. The links and interface looked the same after they had been altered, but they had been changed to send data to Cervenka's address.
"We can verify that it does appear to work and is a way that people could potentially sniff a user's passwords, and we're working extremely hard on coming up with a fix for it," said Sean Fee, Hotmail's director of product marketing.
"We don't have a specific time, but we would expect a very, very fast turnaround on this," Fee said.
Until then, Hotmail users shouldn't open email messages from unknown senders, and they should disable JavaScript in their Web browser.
Cervenka posted a working demonstration and full description of the exploit on the Web, and sent out alerts to security mailing lists.
He doesn't know of other successful exploits of the trick, but figures he's not likely to be alone in discovering what he says is the use of fairly simple JavaScript instructions to fool the Hotmail system. The free email service is the only one he's tested it on, but Cervenka suspects that any Web-based email or chat system can be similarly exploited. The fix, he says, is for the systems to detect and filter out JavaScript from any incoming email messages.
"If I've figured it out, there's definitely a lot of other people who have figured it out, too," he said.
"If anybody doubted that they should be concerned about their use of JavaScript, now they know," said Ted Julian, security analyst with Forrester Research.
"It's a classic Trojan horse that's been tried with many different kinds of applications as a way to gather [usernames and passwords]," Julian said.
Cervenka said he alerted both Hotmail and Microsoft at the end of last week but received no reply other than an automated email response from Hotmail.
"Anyone that knows even a minimal amount of JavaScript can take advantage of this."
Julian said free email service providers also need to be aware of the liability issues.
"It's great that they are putting together these portals that contain all sorts of information and services as a way to attract traffic, but here's an example of how they need to think very carefully about what the security and liability issues are that are associated with those services," said Julian. "It's not just a matter of kinda throwing this stuff up there now. There's some considerations that they need to make."
Fee said that the company is working hard to "understand exactly the various ways in which it works, understand its technical scope, and come up with a solution" that will remedy the problem.
"Protecting our members' personal email and privacy is of paramount importance to us," Fee said.
In February, the company patched within a day a potential exploit that granted malicious users access to Hotmail accounts.
