MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes
Microsoft admits to taking down part of its MSN site after a programmer exploited a cross-site scripting flaw to read Hotmail e-mails.One week after hackers exploited a weakness in the MSN Korea Web site, Microsoft admitted to taking down part of its MSN site over the weekend after learning about a flaw that would allow hackers to access Hotmail accounts. Reports say the MSN Web site, ilovemessenger.msn.com, contained a cross-site scripting flaw. That means someone could potentially use to site to obtain user data via "cookies," or bits of user data, by having MSN customers click on a malicious URL. Once someone clicked the URL, hackers would be able to access their personal e-mail accounts. A Microsoft spokesperson said customers are no longer at risk from the issue because the "I Love Messenger" Web site has been disabled, and visitors to the site are being redirected to the general MSN Messenger site. Microsoft says it will restore the "I Love Messenger" Web site once the investigation is complete and the issue has been resolved.
The flaw was initially reported by 20-year-old Dutch programmer Alex de Vries on Net-Force.nl, a security enthusiast Web site. On the site, de Vries said, "I found out many big sites are still vulnerable to certain exploits."