14 DAY TRIAL // Microsoft has patched a vulnerability in Hotmail which was exploited by attackers to extract sensitive information, like emails and contacts, from people's accounts.
According to Microsoft's acknowledgements page, the vulnerability was discovered by Yvon Liu, a threat researcher with security vendor Trend Micro.
The flaw was exploited in targeted attacks via maliciously crafted emails. "Unlike other email-based attacks that require users to open the message and to click an embedded link or to download and execute an attachment, this attack’s execution merely requires users to preview the message in their browsers," Trend Micro explains.
The emails were crafted to appear as originating from Facebook's security team and informed users that their accounts were locked because they were accessed from unrecognized locations.
The emails took advantage of the flaw in Hotmail's CSS filtering mechanism to pull in and execute a rogue script from a remote server.
"The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker," the Trend Micro researchers note.
The script downloaded and executed inside the user's browser, sends a request to the Hotmail server on their behalf which instructs it to forward all emails and contacts to a particular address.
Depending on the size of the user's mailbox, this process can take some time and will keep on running as long as the user remains logged in. Logging out will stop the script's execution.
Trend Micro recommend that companies prevent employees from accessing their personal email addresses at work, especially via webmail, in order to avoid attacks like this that could result in the theft of sensitive corporate data.