Used maliciously, the exploit would allow a cracker (or spammer) to construct an email that redirects a Hotmail user to a particular Web page. This could be used as part of a plan to fool them into retyping their password. A Hotmail user would need only to enter their In-box for this exploit to work, after which their emails could be read.
The problem is the filter isn't applied to the 'From' address of a message.
ObLiviON said this is because Hotmail uses 'To' and 'From' addresses as a 'name' property for the cell where the link to the message is placed.
Other Web-based email services don't use the 'From' address as a 'name=' value, so ObLiviON reckons they are "probably" immune to this particular exploit.
The creation of ObLiviON's exploit means that Hotmail is once again in the position of having to protect the service against a security problem.
Last month an exploit was discovered which had the potential to allow snoops to call messages from any other Hotmail account by crafting a URL with the second account's username and a valid message number.
As a Microsoft-owned property, Hotmail will always be the subject of attack and its users would do well to accept this and treat most Web-based email services as inherently less secure than their desktop counterparts. Convenience has its price. ®