An Israeli computer science student discovered a new security flaw in Microsoft email service Hotmail.

An attack on users email is launched using Cross-Site Scripting, when a Hotmail user clicks on a special crafted link in an email message. Then the malicious code sends the user’s cookie with the session information to the attacker.

At this point the attacker can log in to the victim’s email account take control of that account, read emails and contacts ans also reset the password.

Baha Naamana, who discovered this flaw reported his finding to Microsoft three weeks ago, and got a response from Microsoft Security Response Center that they will investigate the report, and they asked him not to disclose the information. Three weeks have passed and the problem still exists, according to Naamana. After three weeks Naamana decided to go public with the information in a hope that this will make Microsoft respond faster and fix the flaw.

Digg this story ?