Hotmail, MSN and Amazon Susceptible to Attack via Cross Site Scripting

Acunetix WVS protects the loss of sensitive personal data due to XSS attacks

London, UK – 05 July, 2006 –A 16 year old Dutch student, Adriaan Graas, interested in Internet security and web development discovered a hack for the popular Hotmail free email service via a Cross Site Scripting attack. Microsoft, is reported to have been aware of this vulnerability for over a week but, at time of writing, has not yet fixed it.

Hacking hotmail via XSS

When logging into Hotmail, a cookie is created allowing continual access of the user while within the domain. Hackers may steal such cookies and produce fakes using such tools as Proxomitron. Since Hotmail cookies are not IP-bound, hackers do not need the password or the email address of the victim for logging in and accessing personal emails and other data. Through Cross Site Scripting (XSS) the hacker inserts JavaScript code that will send the fake cookie to a Web Server with a log script and the deed is done.

Vulnerabilities in MSN and Amazon left unfixed

Security researcher, Yash Kadakia, frustrated by a lack of response from Microsoft and Amazon.com, has gone public with details of flaws on MSN and Amazon. Similar to the Hotmail case, Cross Site Scripting and CRLF (Carriage Return Line Feed) injection vulnerabilities found in these sites could be used by hackers to steal “cookie” data files allowing them access to Amazon.com and MSN accounts, or to display a fake login page that could be used in phishing attacks.

Kadakia said he first notified Microsoft of the problem about a year ago but he wasn’t taken seriously until late last week, when he posted screen shots of the flaw being exploited on his Web site. The Amazon.com flaw was discovered in December and to-date the vulnerability remains un-patched, according to Kadakia.

Sanitizing Web Applications

Acunetix Web Vulnerability Scanner automatically audits web applications and checks whether these applications are secure from exploitable vulnerabilities to such hack attacks as Cross Site Scripting and CRLF injection. An automated check of the Hotmail, Amazon and MSN websites (using Acunetix Web Vulnerability Scanner) could pinpoint these and any other possible vulnerabilities before it is too late saving the popular companies from undue embarrassment, loss of reputation and customer trust, and any financial losses resulting from the attack.

Acunetix provides free trial to help companies determine the security of their websites

Click here to download a free 14-day trial of Acunetix.

About Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injectionCross site scriptingCRLF injection and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist.

About Acunetix

Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta) and an office in London, UK. For more information about Acunetix, visit: http://www.acunetix.com.

Share this post

Leave a Reply

Your email address will not be published.