By Libe Goad
One week after hackers exploited a weakness in the MSN Korea Web site, Microsoft admitted to taking down part of its MSN site over the weekend after learning about a flaw that would allow hackers to access Hotmail accounts.
Reports say the MSN Web site, ilovemessenger.msn.com, contained a cross-site scripting flaw. That means someone could potentially use to site to obtain user data via "cookies," or bits of user data, by having MSN customers click on a malicious URL. Once someone clicked the URL, hackers would be able to access their personal e-mail accounts. ADVERTISEMENT
A Microsoft spokesperson said customers are no longer at risk from the issue because the "I Love Messenger" Web site has been disabled, and visitors to the site are being redirected to the general MSN Messenger site. Microsoft says it will restore the "I Love Messenger" Web site once the investigation is complete and the issue has been resolved.
* Microsoft Intros MSN Virtual Earth
* MSN Gets Ready for RSS Push (eWEEK)
* Microsoft Planning 'Lower Rights' IE 7.0 (eWEEK)
* Microsoft Plugs Phishing Hole on Xbox360 Site (eWEEK)
The flaw was initially reported by 20-year-old Dutch programmer Alex de Vries on Net-Force.nl, a security enthusiast Web site. On the site, de Vries said, "I found out many big sites are still vulnerable to certain exploits."
After finding vulnerabilities in the Web sites of NASA, Time Magazine, CBS and the CIA, he moved on to Hotmail with the perception that it'd be "unhackable."
"I had to search for about an hour and a half (unlike NASA and CIA, which took me only about 15 minutes), but with success," de Vries said on the site. "Together with [another hacker], I've tested my theory, and in no time, I was reading the content of his inbox."
He then informed Microsoft Corp. of the security flaw and created a tutorial titled "How to Hack Hotmail," although he added the obligatory statement that it should be used for enthusiast purposes and not for malicious intent.
Cross-site scripting flaws are caused by problematic Web site design. Microsoft first posted information about them in February 2000, calling these flaws a "serious security vulnerability."
Users can find more information about these flaws in the Microsoft help section or in this Knowledge Base article, which describes how users can make sure that their computers are not vulnerable to this threat.
The article tells users to turn off Active Scripting in the Restricted zone and make all e-mail run in the Restricted zone. It also warns Web surfers to visit only trusted Web sites; avoid clicking hyperlinks in e-mails; and be careful of how they surf to a site, by typing the URL directly into the browser or by using a secure bookmark or favorite.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources," the Microsoft spokesperson said.
If users fall victim to a cross-site scripting attack, the Microsoft site recommends that they close the Web browser, restart it and visit a safe Web site, then delete all of the cookie files on the computer. For users of the Internet Explorer browser, Microsoft gives more specific details on how to allay a scripting attack.
During the MSN Korea attack last week, hackers placed malicious code on the site's news section in an attempt to steal user login information for Lineage, a hugely popular multiplayer online game in South Korea. Then, when anyone with a vulnerable Web browser visited the site, they'd be infected with the Trojan that would steal and record the keystrokes of Lineage players.
The site remained hacked for several days before Microsoft fixed it and called law enforcement in for a full investigation. No one reported being affected by the attack.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment