Microsoft’s code is not always secure, is very clear again with this XSS exploit. This is not the first XSS exploit that has been found, others have been found.
Adriaan Graas is a 16 years-old student from Netherlands who is interested in internet security and web development. Adriaan Graas informed Microsoft (in the week he posted the article) about an XSS (cross site scripting) exploit he found in Hotmail. The exploit allows hackers to steal cookies from their victims and obtain full control over their inboxes without the need of knowing their passwords.
The idea is simple. When u are logged-in into Hotmail, a cookie is created which allows you access every time you are in it's domain. Since the cookie is not IP-bind (how is this possible? - Microsoft) we are able to fake the cookie, when stolen. Then use it to login. This all does mean that we do not have to know the password or even the email address of the victim. Through XSS we can insert a piece of JavaScript code that will send the cookie to a webserver with a log script. This can be written in PHP, ASP, and CGI practically anything you want. The cookie can be faked with Proxomitron. [Click here to read more]
* This article was posted on 24 June 2006 by Adriaan Graas in his website. I know it’s a little old article but this news seems to be very kewl so I thought of posting about this in my blog ;)
