CNET también está disponible en español.

Ir a español

Don't show this again

Internet

Microsoft zaps Hotmail password bug

The company patches a bug that left users of the Web-based email service vulnerable to a password-stealing trick.

Microsoft has patched a Hotmail bug that left users of the Web-based email service vulnerable to a password-stealing trick.

The exploit was the latest in a series devised by bug hunters using JavaScript to launch fraudulent password entry screens to trick people into handing over control of their accounts.

JavaScript is a Web scripting language designed to take actions on a Web site visitor's computer, such as launching a new window or scrolling text across the screen, without the visitor's interaction. After the first few password-stealing schemes came to light, Hotmail and other Web email providers decided to filter JavaScript from incoming messages.

But bug hunters have kept themselves busy finding ways to sneak the code around Hotmail's filters.

In the example addressed by Hotmail this week, Bulgarian bug hunter Georgi Guninski demonstrated a way to inject JavaScript through a style tag. The exploit worked only with Microsoft's Internet Explorer browser.

In response to news of the bug, Microsoft this week patched the Hotmail servers.