Trend Micro, via Help Net Security, has reported a flaw in Microsoft’s Hotmail service that allows exfiltration via a script, enabling attackers to syphon off user contact information and messages from a users account.
The good news is that it’s patched already. The next bit of good news is that if a user logged out just after infection, the session for the hotmail account was ended, which stopped the exploit cold.
The ingenuity of the attack was such that it did not require a user to actually click on a link to work or download something, but just to open a specially crafted email which in turn would allow a script embedded into the email to do the dirty work.
The attack looks like it was specifically targeted, and used variables used by hotmail itself to work.
It is unknown at this time how many users might have been affected by the exploit, but kudos to Microsoft for the quick fix.