A dutch programmer, Alex de Vries, discovered and disclosed a cross site scripting flaw with the MSN site ilovemessenger.msn.com which could have explosed Hotmail user email accounts to a malicious user.

Hotmail customers are no longer at risk, according to Microsoft. “The ‘I Love Messenger’ Web site has been disabled,” the company representative said in an e-mail statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft’s free instant messaging service, will be restored once the issue has been resolved…

The part that particularly caught my eye was the statement from the programmer who discovered the issue (follow the link in the ZDnet article to the programmer’s site):

Looks like MSN changed the exploitable page, so this exploit is not there anymore. But there is at least one other place known in MSN.com, where the same bug is still present.

Did the programmer tell Microsoft about this “one other place”? I hope so, but if not, then there is still an open exploit lingering at “one other place” on MSN. Be careful, Hotmail users.

Did this post make you go hmm?

 Loading ...