madison
Home / News & Blogs

Huge Hotmail security flaw reported

ZDNN Staff | August 30, 1999 12:00 AM PDT

Summary

In a huge e-mail breach, millions of Hotmail accounts may have been made exposed over the Web.

Topics

ZDNN Staff, Technology News
Updated at 11:17 AM

In potentially one of the largest security e-mail breaches ever, a Web site may have allowed people access to millions of private Hotmail accounts.

The Hotmail snafu is sure to reignite debate about privacy and security on the Web, as well as direct more criticism toward Microsoft Corp. (Nasdaq:MSFT), which owns Hotmail.

The site allowed any Web user access to people's Hotmail accounts simply by typing in a Hotmail's user name.

Once the name was entered, the Hotmail account and mailbox for that account were easily viewed. Messages, in many cases, could be read or forwarded.

Microsoft took down Hotmail servers for a couple hours Monday morning to fix the glitch. Microsoft said the fix also was designed to prevent future attacks. It's not notifying users that their e-mail may have been read.

But some users say Microsoft has not made a fix -- the vulnerability still exists.

There are between 40 million and 50 million Hotmail users, according to market researchers -- by far the largest e-mail service.

The problem wasn't a small hole that only a technically adept hacker could exploit. With this hole, anyone with access to a short HTML script, already widely circulated, could open Hotmail accounts.

Reporters at Sm@rt Reseller found that Hotmail in-boxes could be viewed, and messages forwarded or deleted -- all by simply putting a user name in the script.

Early details were sketchy, but the problem appeared to be the result of sloppy programming at the front end of the service. Essentially, Hotmail was configured to accept as a valid user ID, anyone's ID forwarded within a specific URL framework. The problem is that if a person knew what that URL framework was, and inserted someone's else ID, then that person could raid that account.

No other Web-based e-mail services were affected by the problem.

In a bit of programming satire, visitors to the site where Hotmail access was offered are now redirected to Microsoft's security area.

Steven J. Vaughan-Nichols and Jason Perlow of Sm@rt Reseller, and Lisa Bowman and John Spooner of ZDNN, contributed to this report.

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity