The attack highlights the under-rated and often-ignored risk of allowing employees to check their personal e-mail accounts at work, the company says.
Cross-site scripting (XSS) is a common security vulnerability in web applications that enables attackers to inject client-side script into web pages viewed by other users, but rarely found in prominent sites such as Hotmail.
The vulnerability enabled hackers to display a message that looked like a Facebook notification warning the victim's account had been accessed from a new location. Embedded in the message was a script that forwarded the victim's e-mail messages to the hackers.
The attack would launch if the victim was logged into Hotmail and either read or previewed the booby-trapped fake Facebook warning message.
"The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user's e-mail messages to a certain e-mail address," Trend Micro said in a blog post.
The attack exploits a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252), which Microsoft has fixed in an update to Hotmail.
This story was first published by Computer Weekly