HotMail security bug exposes passwords

Microsoft's free HotMail email service suffers from a security breach that could cause its users to disclose their user names and passwords. The bug, which was discovered by a Canadian company called Specialty Installations, can be triggered by a piece of JavaScript code embedded in an HTML-format email message. When the user reads the encoded message, the JavaScript code asks the user to login to HotMail again. Since the dialog box looks just like the one you get when you really do login to HotMail, many users will be fooled, and the login information will be mailed to the sender of the message.

Microsoft is working on a fix to the problem but offers the following advice in the meantime: Don't open messages from unknown parties. If you see an unexpected login prompt, do not respond to it, but rather return to HotMail using a Favorite/Bookmark or by typing the HotMail URL into your browser.

Tools like JavaScript, VBScript, and Java are far more powerful than normal HTML, but since all popular email programs now support HTML, these other technologies have come along for the ride and they're opening up numerous security problems. Email bugs in Eudora, Netscape Mail, Microsoft Outlook 98, and Outlook Express can all be tied to HTML-enabled email

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.