A hacker has developed a method of bypassing the JavaScript filtering mechanisms of Hotmail, in the latest security flap to hit Microsoft"s Web-based email service.
ObLiviON has sent details of a sample exploit that shows how to smuggle JavaScript code through Hotmail filters and into a user"s In-box, to security mailing list BugTraq.
Used maliciously, the exploit would allow a cracker (or spammer) to construct an email that redirects a Hotmail user to a particular Web page. This could be used as part of a plan to fool them into retyping their password. A Hotmail user would need only to enter their In-box for this exploit to work, after which their emails could be read.
In an email to The Reg, ObLiviON explained that Hotmail"s JavaScript filter is supposed to filter all JavaScript code, and some html code that can lead to applet execution.