Hackers stole letters from Hotmail due to an error on Microsoft

Due to an error on the Microsoft website, criminals managed to steal emails from Hotmail accounts for a whole week.

On May 12, Trend Micro discovered a message sent to a victim's mailbox from Taiwan. The message looked like a notice from Facebook. The letter warned the victim that someone had access to her account on FB.

In fact, a script was injected into the letter, which then forwarded to the hackers all e-mails of the victim.
')
For the script to work, it was necessary for the victim to be logged into his HotMail account. The script was launched even with the usual inspection of the contents of the letter.

The attack was successful because there was a common web programming error on Microsoft - cross-site skipping.

“The script creates a special request sent to the Hotmail server. After that, he forwards all the victim's messages to certain email addresses, ”the TrendMicro blog said.

In general, such errors as cross-site scripting are often found on the Web, but on such important and widely used sites as Windows Hotmail is very rare.

Trend Micro immediately announced this to Microsoft. It is not clear how many Hotmail users have suffered from the attack.

According to Trend Micro, the attack was not very common. Victims will be around 1,000 to 2,000, said Jamz Yaneza, an expert at Trend Micro.

However, he added, Trend Micro has no idea how long this vulnerability existed on the site.

At the moment, the vulnerability is fixed.