Hotmail can be used to launch email bombs

Microsoft's Hotmail can be used as a tool for flooding and email bombing because of a weakness in the free email service that the software giant admits will not be fixed until tomorrow.

According to security researcher Philip Stoev, who discovered the issue, Hotmail can act as email size amplifier with a factor of at least 1000, allowing an attacker to flood a victim with mail while consuming a negligible amount of bandwidth.

In a posting to the Bugtraq security mailing list, Stoev explained the problem stems from the way Hotmail handles the 'attfile' hidden form field on its Compose Message form.

"Normally, this form field contains information on the attachments that are to be sent with the message being composed. The problem is that it is possible for this form field to reference one and the same attachment several times, which will make Hotmail send this attachment as many times as desired with the outgoing mail," said Stoev.

"The amplification occurs because the attachment is actually uploaded only once, while Hotmail sends it several times to the end recipient."

Stoev estimated that, using this technique, an attacker using 100Kb of bandwidth would be able to consume 22Mb of incoming bandwidth. Beyond filtering there seems to no way of dealing with the vulnerability, which Stoev said would be relatively easy to exploit using readily available tools.

In a response posted to Bugtraq, security officials at Hotmail confirmed they were able to reproduce the problem. "The Hotmail security team has identified the changes that are needed, and is implementing the change even as we speak," they said.

"New system software is loaded every two weeks, and the next scheduled update is 14 November. We'll make sure that the change is included in that update."

Deri Jones, of security testing specialist NTA Monitor, said Microsoft would have to block people from sending a file in the same email more than once. He added that web-based email services in general can be used as a tool for email bombing by, for example, subscribing to high-volume mailing lists and forwarding mail from an account to the victim's email address.

"Victimising someone's email address is as old as email, and mail-bombing has always being a part of that," said Jones.

See also:

New hacker risk hits Hotmail users

Microsoft investigates yet another vulnerability  17 Sep 2001

Security flaw found in BT's talk21 email

BT's free web-based email service talk21 has come under fire for lax security after an online businessman stumbled across a flaw that gave him access to users' email accounts.  29 Sep 2000

Hotmail instant messaging glitch revealed

Microsoft is investigating a glitch that allows Hotmail users to register outdated accounts and gain access to the associated instant messaging user names and contact lists.  26 Aug 2000

Hotmail to finally move to Windows

Microsoft will this autumn finally address the embarrassing fact that its Hotmail email service is not running on Windows servers.  09 Aug 2000

Microsoft admits to Hotmail privacy flaw

Microsoft has been forced to completely redesign the technology behind its Hotmail free email service after a privacy flaw came to light.  15 Jul 2000

Hotmail back online after fix

Microsoft was forced to shut down its Hotmail service to fix a security hole discovered on Wednesday.  12 May 2000

Hotmail bailed out after forgotten bill

Hotmail users had an unlikely hero to thank for restoring their service when it suffered a glitch on Christmas Eve - a Linux programmer and his credit card.  06 Jan 2000

Hotmail defended from virus slur

Microsoft last week hit back at allegations that it is not doing enough to prevent its Hotmail service becoming a carrier of potentially devastating macro virus infections.  03 Nov 1999

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!