Sixteen year-old Adriaan Graas from The Netherlands informed Microsoft last week about an XSS (cross site scripting) exploit he found in hotmail.
The exploit allows hackers to steal cookies from their victims and obtain full control over their inboxes without the need of knowing their passwords. More than a week later, the billion-dollar company still hasn't fixed the flaw.
The story is hardly surprising considering Microsoft's long-lasting reputation of XSS blunders, eg. last year's reported MSN Alerts and Ilovemessenger vulnerabilities, and a similar one going way back to 2002.
While we agree it's best to privately and directly report vulnerabilities to the company involved, the information has already been disclosed on the web and various news sites are publishing it.
We can only hope the exposure puts enough pressure on Microsoft. The hotmail exploit can easily be executed via websites, e-mails or instant messages, so until the hole is patched: watch where you click!
http://www.mess.be/
The exploit allows hackers to steal cookies from their victims and obtain full control over their inboxes without the need of knowing their passwords. More than a week later, the billion-dollar company still hasn't fixed the flaw.
The story is hardly surprising considering Microsoft's long-lasting reputation of XSS blunders, eg. last year's reported MSN Alerts and Ilovemessenger vulnerabilities, and a similar one going way back to 2002.
While we agree it's best to privately and directly report vulnerabilities to the company involved, the information has already been disclosed on the web and various news sites are publishing it.
We can only hope the exposure puts enough pressure on Microsoft. The hotmail exploit can easily be executed via websites, e-mails or instant messages, so until the hole is patched: watch where you click!
http://www.mess.be/
