Criminals have been siphoning e-mail messages from Hotmail users’ accounts for more than a week, thanks to a vulnerability in Microsoft’s website. The flaw gave hackers a way to read and steal e-mail from Hotmail users by sending specially crafted e-mail messages to several thousand victims.
On May 12, Trend Micro found a message sent to a victim in Taiwan that looked like a Facebook notification alert, warning that someone had accessed their Facebook accounts from a new location. Embedded within the e-mail was a script that forwarded the victim’s e-mail messages to the hacker.
For the cross-site scripting flaw to work, the victim had to be logged into Hotmail, but the script would run even if the victim simply previewed the message. The script triggers a request that is sent to the Hotmail server to send all of the affected users email messages to a different email address. Cross-site scripting flaws are common on the Web, but they’re rarely found in widely used websites like Windows Live Hotmail.
Trend Micro reported the issue to Microsoft immediately, and it was finally fixed on Friday. According to Trend Micro, the attack doesn’t seem to have been widespread, affecting between 1,000 and 2,000 victims, however, Trend Micro has no way of knowing how long the flaw was there before it was uncovered.