CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Culture

Hotmail bug pops up with JavaScript code

Microsoft investigates yet another security problem within its Hotmail Web site for free email.

Microsoft is investigating yet another security problem within its Hotmail free email service.

According to Bulgarian bug hunter Georgi Guninski, who has a number of bug finds to his credit, Hotmail permits the sending of JavaScript code that could automatically present a bogus password entry screen. Usernames and passwords entered by unsuspecting users could be collected by the email sender.

JavaScript is a Web scripting language developed by Netscape Communications for performing actions on Web pages without user input. JavaScript is most commonly used for launching pop-up windows or scrolling text; but it has also become a major security headache for browser makers and Web sites like Hotmail because of its potential usefulness to malicious hackers.

A year ago, Hotmail responded to the demonstration of a JavaScript password-stealing exploit by implementing a filter that searched out JavaScript tags in incoming email and rendered them inoperable.

But bug hunters quickly routed that fix by placing the JavaScript code between the "header" tags of the HTML email's source code, evading Hotmail's security. Microsoft quickly plugged that hole, saying at the time that it had implemented a filter that stripped incoming email of all scripts and other potentially hazardous elements.

Guninski claims his new JavaScript trick circumvents even those barriers by placing the JavaScript code between the document's "style" tag.

Microsoft said it is looking into the issue and denied its assertion from a year ago that it was trying to filter all scripts from incoming email.

"We do filter out some JavaScript tags to provide better security, to stop some hacks and spoofs," said MSN lead product manager Deanna Sanford. "But we don't disable JavaScript altogether. There are still some great uses for JavaScript, and we don't want to enforce a total ban."

Sanford said Hotmail is evaluating whether JavaScript should be permitted in the "style" tags.

After a security problem last week exposed Hotmail users to attack, Microsoft acknowledged it was hiring an outside firm to examine security at the free email service.