WebTV hole leaves users exposed

The account information of some WebTV customers could have ended up in the wrong hands, as a result of a security flaw in the set top box's software.

Microsoft, which owns WebTV, said Tuesday it has taken care of the flaw, which made it possible for malicious hackers to tinker with WebTV customers' accounts.

The problem occurred when an email message sent to a WebTV user's mailbox was bounced back -- WebTV accounts can only hold about 150 messages and bounce back incoming email messages when they are full. If the WebTV user had the spam filter activated, then the returned message would divulge the user's ID numbers to the sender -- in addition to the reason the email was deflected. As a result, those who knew about the flaw could gather a WebTV customer's account information by email bombing the account -- without the customer ever knowing about the invasion.

The glitch was first reported by Net4TV Voice, a publication of the interactive television consulting firm Iacta. Net4TV Voice publisher Laura Buddine said some users notified her of the breach last week. In addition, she came across it the flaw when some messages on the Net4TV mailing list were returned containing the user's account information. Eventually, she duplicated the problem.

Microsoft said it would be difficult for hackers to alter accounts once they had the IDs because they also would have to trick the WebTV user into issuing certain commands. The security breach appears to be an iteration of a flaw that surfaced last November, when people began noticing that user ID numbers showed up in emails that had bounced back from WebTV accounts.

The glitch became a system-wide problem a few weeks ago, when WebTV installed a new automatic spam filter, which is activated by default. After it discovered the flaw, Net4TV was urging people to turn off the spam filter.