Microsoft admits to taking down part of its MSN site after a programmer exploited a cross-site scripting flaw to read Hotmail e-mails.
One week after hackers exploited a weakness in the MSN Korea Web site, Microsoft admitted to taking down part of its MSN site over the weekend after learning about a flaw that would allow hackers to access Hotmail accounts.
Reports say the MSN Web site, ilovemessenger.msn.com,
contained a cross-site scripting flaw. That means someone could potentially use to site to obtain user data via "cookies," or bits of user data, by having MSN customers click on a malicious URL. Once someone clicked the URL, hackers would be able to access their personal e-mail accounts.
A Microsoft spokesperson said customers are no longer at risk from the issue because the "I Love Messenger" Web site has been disabled, and visitors to the site are being redirected to the general MSN Messenger site. Microsoft says it will restore the "I Love Messenger" Web site once the investigation is complete and the issue has been resolved.
The flaw was initially reported by 20-year-old Dutch programmer Alex de Vries on Net-Force.nl,
a security enthusiast Web site. On the site, de Vries said, "I found out many big sites are still vulnerable to certain exploits."
After finding vulnerabilities in the Web sites of NASA, Time Magazine, CBS and the CIA, he moved on to Hotmail with the perception that itd be "unhackable."
"I had to search for about an hour and a half (unlike NASA and CIA, which took me only about 15 minutes), but with success," de Vries said on the site. "Together with [another hacker], Ive tested my theory, and in no time, I was reading the content of his inbox."
Read the full story on PCMag.com: MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes