A schoolboy error by Microsoft coders allowed hackers to access the web-mail accounts of thousands of users, according to security researchers.
Trend Micro reports that an unpatched vulnerability in Hotmail which used a maliciously crafted email message to automatically execute embedded script, allowed messages and personal details to be stolen from thousands of accounts - and that was after the flaw was discovered.
Because of the nature of the cross-site scripting gaffe, there's no way of telling how many accounts had been accessed before the exploit was unearthed.
"We analysed the embedded crafted code before the actual email message’s content and discovered that once Hotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine," writes Trend Micro's Karl Dominguez. "This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail login session."
Following a common trend amongst criminal hackers, the attack was triggered by a fake alert warning that a user's Facebook account had been accessed from a new location. Opening the message executed the script which then exploited an open Hotmail session to send all of the user's email messages to the attacker.
CSS errors are common all over the Internet but really shouldn't turn up web sites built by multi-billion dollar corporations like Microsoft.