Hotmail users face mass spamming

Hotmail users were subjected to a mass spam attack this weekend, at the same time that it was revealed that a security glitch in the service allowed an attacker to hijack a user's Passport.

vnunet.com readers have reported mass mailings from a single address which managed to sneak past Hotmail's automatic junk mail filter. One user reported receiving over 8000 copies of the same 'Microsoft products at knock down prices' email.

Another user managed to paste the sender's address into the filtering system, but not before he was bombarded by over 1200 mails. "By the time I accessed the blocking filters and pasted in the rogue address I found that I had 1200+ emails. All emails came from one address and Hotmail's junk filter did not stop it," he told vnunet.com.

The discovery of a vulnerability in the Passport authentication system has also put user accounts at risk. Details of a cross scripting attack were published on security sites which would allow a malicious user to hijack the session cookie of another user, effectively stealing their identity.

A malicious JavaScript exploit embedded within an email as a URL can be used to trick the Passport system into passing the user's session cookie to a third party common gateway interface script on a remote server.

This attack is known as 'cross site scripting' and, although Microsoft has taken steps to filter out this type of attack, simply encoding the malicious script by replacing some letters with their hex equivalent will sneak the code through any filters. For example 68 is the hex value of h so the server would translate &x68;ttp:// into http://.

Once the attacker is in possession of the user's session cookie he can effectively masquerade as the true user and take control of all his accounts which use the Passport service.

A coder going by the name of Obscure, who wrote a white paper on the attack, said Microsoft has been informed of the situation. It is unclear whether the problem has yet been fixed.