HotMail security bug exposes passwords

Microsoft's free HotMail email service suffers from a security breach thatcould cause its users to disclose their user names and passwords. The bug,which was discovered by a Canadian company called Specialty Installations,can be triggered by a piece of JavaScript code embedded in an HTML-formatemail message. When the user reads the encoded message, the JavaScript codeasks the user to login to HotMail again. Since the dialog box looks justlike the one you get when you really do login to HotMail, many users willbe fooled, and the login information will be mailed to the sender of themessage.

Microsoft is working on a fix to the problem but offers the followingadvice in the meantime: Don't open messages from unknown parties. If yousee an unexpected login prompt, do not respond to it, but rather return toHotMail using a Favorite/Bookmark or by typing the HotMail URL into yourbrowser.

Tools like JavaScript, VBScript, and Java are far more powerful than normalHTML, but since all popular email programs now support HTML, these othertechnologies have come along for the ride and they're opening up numeroussecurity problems. Email bugs in Eudora, Netscape Mail, Microsoft Outlook98, and Outlook Express can all be tied to HTML-enabled email