The MSN Web site, http://ilovemessenger.msn.com/, contained a so-called cross-site scripting flaw, a Microsoft representative said on Monday. In its initial review of the issue, the company found that an attacker could use the vulnerability to obtain "cookies" from Hotmail users by getting them to click on a malicious URL. That could then grant access to those e-mail accounts, the representative said.
are small files stored on a computer that contain user data. Hotmail is one of the world's most popular Web-based e-mail services, with more than 200 million active accounts, according to Microsoft.
Microsoft's acknowledgement of the Hotmail issue comes after the security hole was disclosed on Saturday by Alex de Vries, a Dutch programmer, on the Net-Force Web site for security enthusiasts.
has described the flaws as serious security vulnerabilities.flaws are errors in Web site design, not in Web browsers, and were discovered more than five years ago. Microsoft
Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' Web site has been disabled," the company representative said in an e-mail statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft's free instant messaging service, will be restored once the issue has been resolved, the company said. On Monday afternoon PT, the I Love Messenger Web address was redirecting users to the main MSN Messenger Web site.
The Hotmail and MSN flap comes within a week after Microsoft acknowledged that its South Korean MSN Web site. Attackers placed malicious software on the news section of MSN Korea in an attempt to for "Lineage," a popular online game in Asia.