Microsoft patched a cross-site scripting flaw on its Hotmail service that was being exploited by cyber-criminals to read and steal e-mail messages.
The flaw allowed the cyber-criminals to target victims with specially crafted phishing e-mails after reading their e-mails, according to Trend Micro researchers. The researchers reported the cross-site scripting issue to Microsoft on May 12, and the flaw was finally fixed May 20. It’s not clear how many Hotmail users were victimized, although Trend Micro counted 1,000 to 2,000 victims.
Trend Micro had no way of knowing how long the flaw was there and being exploited before it was uncovered and patched.
Trend Micro came across a message that looked like a Facebook notification alert warning a user that someone had accessed their Facebook account from a new location. Buried inside the message was a specially written script that executed if the user was logged into Hotmail, and forward the victim’s e-mail messages to the cyber-attacker.
“The script triggers a request that is sent to the Hotmail server,” Trend Micro wrote in a blog post describing the issue. It then “sends all of the affected users email messages to a certain email address.”
Unlike most e-mail attacks, which require users to open the message and click on an embedded link or open an attachment, the script executes as soon as the message is previewed in the browser, according to Trend Micro.
The malware has information gathering capabilities, so users who are checking personal accounts at work may inadvertently compromise company information, such as confidential documents and customer contacts, Trend Micro said.
Cross-site scripting flaws are fairly common, but it’s rare to find them in large sites like Hotmail. This incident just goes to show that even the most established companies can make a programming mistake and users need to always be vigilant when online.