CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Culture

Hotmail bug allows password theft

The software giant investigates yet another security dilemma with its free email service that permits the sending of JavaScript code that could automatically present a bogus password entry screen.

Microsoft can't seem to shake the security gremlins from its Hotmail free email service.

The software giant is investigating yet another security dilemma with its Hotmail service that permits the sending of JavaScript code that could automatically present a bogus password entry screen. Usernames and passwords entered by unsuspecting users could be collected by the email sender.

Microsoft said it is looking into the issue, although it has not received any other reports on this security problem.

JavaScript is a Web scripting language developed by Netscape Communications for performing actions on Web pages without user input. The language is commonly used for launching pop-up windows or for scrolling text, but it has also become a major security headache for browser makers and Web sites like Hotmail because of its potential usefulness to malicious hackers.

Earlier this month, Microsoft confirmed a JavaScript password-stealing exploit that had the same effect as the most recent one, but that was implemented differently, according to Georgi Guninski, a Bulgarian programmer.

Guninski claims the new JavaScript glitch circumvents Hotmail security barriers by placing the JavaScript in HTML image files.

Microsoft confirmed that the glitch is yet another way to execute malicious code in someone's email.

"We do filter out some JavaScript tags to provide better security, to stop some hacks and spoofs," said MSN lead product manager Deanna Sanford. "As we get these reports, we are evaluating other filters to provide to users. It's an ongoing process."

As an extreme measure to protect against such security breaches, both Guninski and Sanford said users can disable JavaScript in their browsers.

After a security problem last week exposed Hotmail users to attack, Microsoft acknowledged it was hiring an outside firm to examine security at the free email service.