Filter flaw vexes Hotmail, Yahoo

A problem in the way Web-based e-mail services Hotmail and Yahoo Mail filter messages could have allowed an attacker to steal access rights and data from users.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A flaw in the way Web-based e-mail services Yahoo Mail and Hotmail filter messages left users open to attack via specially crafted online scripts, a security specialist said Tuesday.

The glitch created the possibility of attacks that could have let Web miscreants steal passwords, access the content of e-mail opened by victims or even spread worms through Web e-mail, said Lee Dagon, director of research and development for Israeli computer security firm GreyMagic Software. GreyMagic discovered the flaw March 6 and released an advisory about it Tuesday.

"Hotmail and Yahoo do everything they can to prevent script from running in an e-mail message," Dagon said, readily filtering the Hypertext Markup Language content that arrives in messages. "We found a way to bypass their filters in order to make script run."

Technically, the vulnerability is part of a class of problems known as cross-site scripting flaws. Such flaws use a problem in a site's security to pass potentially harmful commands to another site or a user's computer.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The Open Web Applications Security Project has labeled such flaws the No. 1 issue e-commerce sites face. The current issue uses a feature of Internet Explorer and thus only affects users of Microsoft's browser.

Microsoft, which had been working on the problem with GreyMagic since March 11, has already fixed the flaw by filtering the potentially malicious script at Hotmail's servers. "Hotmail customers are fully protected from the vulnerability," a Microsoft representative said.

Yahoo said Tuesday afternoon that it expects to have the flaw fixed "shortly."

Yahoo never got the original alert from the security firm, due to an internal glitch, a company representative said Tuesday, after being told of the advisory by CNET News.com.

"Due to an isolated issue, we became aware of this specific report after it was first reported to us and have taken steps to prevent (such oversights) from occurring in the future," a representative said in an e-mail.

The vulnerability takes advantage of the seldom-used HTML+TIME module in Internet Explorer, which allows the browser to add timing and synchronization to Web pages. The flaw itself is not in Internet Explorer, however, or Outlook; it requires a Web service to actually have some interesting content to attack, GreyMagic's Dagon said.

"A script in Outlook would have to rely on a second vulnerability to do any real damage," he said. "However, when a script is running in Web-based services, it has immediate access to the entire mailbox."

Microsoft's Hotmail had issues two weeks ago, due to unknown problems with the software giant's Internet identity service, Passport. In December, Yahoo had to patch a flaw in its instant-messenger client that could have left users open to attack.

The advisory that describes the issue can be found on GreyMagic's Web site.

CNET News.com's Jim Hu contributed to this report.