mailing list archives
Hotmail spoofing with css
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Wed, 24 Jan 2001 06:57:53 -0000
In his post to bugtraq, Ben Li spoke about a bug in most of next generation
browsers that deal with css and a broken image that leads to a general html
A similar problem exist with css used inside a web base mail server with
this time a plain image but no link needed. It's possible to generate some
mail trojans that will recover user personal information like passwords.
It's no longer a bug in the browsers, but in the implementation of servers
i did some test with hotmail and msie 4/5 (NT) and it work really fine. (did
not try netscape)
In fact we have here a very serious hole .
It was possible (at least with hotmail) to use a background layer with
a full blank picture to erase all the browser screen ( hotmail desktop) and
another top layer with a slightly modified password requester it would be
easy to fool most people around here.
a simple 'img href' to an outside 1x1 white pixel picture expanded to
1280x768 is ok for the background layer and will clean everything.
Since the new frame appear over the first one and not in a new window like
in the usual way, the Microsoft top frame warning that user is going outside
hotmail will no longer exist.
So, from the user side, just after clicking on his mail to read it, the
screen will show him what he would trust to be the hotmail relogin page.
(session timeout). The URL inside the browser is still hotmail so he has no
really obvious reason to worry except if he took the same login page 2
minutes just before.
The relogin page, embedded in the mail inside the top layer, won't be really
the same as the original one, the form field may be changed with an unsecure
http connection and a GET method while pointing to the attacker web server.
Then, the password in his web server logs, the attacker may finaly redirect
the victim to the real page.
Conclusion: Micro$oft should reconsider the seriousness of this threat ( $
feature $ ) by blocking css and may be layers too.
below, "only some skulls" of a mail exploit: copyrighted material was
== horsemail.com ==
<div id="layer1" style="width:99px; height:99px; position:absolute;
left:0px; top:0px; z-index:0;">
<!-- First Layer, a big blank screen to hide Hotmail desk -->
<div id="layer2" style="position:absolute; left:140; top:100; z-index:0;">
<!-- Layer 2, will show up text, pics, form -->
<!-- Here the new hotmail login.html that point to our web server
Need Microsoft login page with all copyrighted
logos, banners ... -->
Have a nice day,
1001 bd Maisonneuve Ouest - suite 200
Montreal(Quebec) H3A 3C8 CANADA
c3rb3r () hotmail com ;)
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
- Hotmail spoofing with css gregory duchemin (Jan 24)