BT's free email service breached

Talk21 email security has been broken
Written by Will Knight, Contributor

Security at BT's free online email service Talk21 was breached Thursday when a user gained access to numerous accounts. The individual who uncovered the problem claims that the service remains wide open.

John Heaton gained access to talk21 accounts through a software package used to gather information concerning visitors to his site. The fault occurred when someone who was visiting his Web site also had his or her email open.

Heaton is the owner of Hotelkeeper.net and uses the software package to discover where visitors to his site have browsed from. He says that the package allowed him to view a visitors talk21 account and to alter account information. He uncovered the security hole after sending out an email inviting people to his Web site.

Talk21 is a free online email service similar to Hotmail and has 2.5m users.

BT is keen to reassure users that this was an isolated and short-lived incident. "There is no evidence that any users email was tampered with," says the BT spokesman. "As far as we know it was only this one hotelier who was able to access other accounts."

Heaton, however, remains concerned about the situation. He says that BT has simply stopped talk21 users from linking to other Web pages from their accounts and that the security problem remains. "The referral link in my Web stats software still takes you directly back to that particular message in the talk21 customers' email," Heaton told ZDNet. "Anyone with knowledge of how URLs and the Internet work would still be able to access the users inbox pretty easily, although this would the be regarded as hacking. In any event, it's still a major security issue."

Heaton says that BT is failing its customers. "If such loose security were discovered on the Web sites of many smaller companies, they would have been forced to close the service or even gone out of business by this point," he says. "BT has not informed or apologised to their talk21 customers in any way as yet."

According to BT, the problem is not unique to talk21 and affects Internet traffic in general, although it says that neither Hotmail nor Yahoo! are vulnerable because they use cookies to authenticate users.

Take me to the Hackers News Special

What do you think? Tell the Mailroom. And read what others have said.

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Editorial standards