Microsoft red faced over web-mail flaw

Microsoft took part of its MSN website offline over the weekend, after it learned of a flaw that could let an attacker gain access to Hotmail accounts, the company said.

The MSN website, http://ilovemessenger.msn.com/, contained a so-called cross-site scripting flaw, a Microsoft representative said on Monday. In its initial review of the issue, the company found that an attacker could use the vulnerability to obtain "cookies" from Hotmail users by getting them to click on a malicious URL. The cookies could then grant access to those email accounts, the representative said.

Cookies are small files stored on a computer that contain user data. Hotmail is one of the world's most popular web-based email services, with more than 200 million active accounts, according to Microsoft.

Microsoft's acknowledgement of the Hotmail issue comes after the security hole was disclosed on Saturday by Alex de Vries, a Dutch programmer, on the Net-Force website for security enthusiasts.

Cross-site scripting flaws are errors in website design, not in web browsers, and were discovered more than five years ago. Microsoft has described the flaws as serious security vulnerabilities.

Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' website has been disabled," the company representative said.

The site, which hosts emoticons and display pictures and backgrounds for MSN Messenger (Microsoft's free instant messaging service), will be restored once the issue has been resolved, according to the representative. On Monday afternoon (PT), the web address was redirecting users to the main MSN Messenger website.

Joris Evers writes for CNET News.com