A British hacker-turned-security consultant, who requested anonymity, told ZDNet UK News this morning that the nature of the script -- that is, the accuracy of its parameters -- may indicate that an insider, or at least someone with an intimate knowledge of Hotmail's internal workings, is be at the centre of the controversy.
According to the source, to have created the admin script responsible for the exploit would require knowledge of key parameters difficult to guess but common knowledge among Hotmail administrators. "The Swedish hacking group that have claimed responsibility for this crack may not even exist," says the source. "It would be very difficult to guess these parameters. The use of these would seem to indicate that someone must have had inside contact at some point."
The only alternative, the source believes, is that the exploit is based on the workings of another email service similar to Hotmail's. "Whatever it is, it is totally inexcusable," the source says.
A Webmaster for another high-profile email service, who also asked for anonymity, agrees the Hotmail crack bears the markings of insider knowledge. "This smacks of an inside job," says the Webmaster. "It doesn't look like the sort of thing that someone would have stumbled across and the quickest route to this exploit would be inside knowledge."
Both sources believe it may never be possible to trace those responsible for the security breach, or the people who used it. They agree that the whole Hotmail system should be overhauled. The security source says, "They may have server logs showing who has used this crack, but the very size of Hotmail may mean it is impossible to know who accessed whose accounts. It will also probably take a complete overhaul of the system for Hotmail to regain any credibility."
But Microsoft, perhaps misjudging the PR impact of the attack, denies an inside job was responsible for the "glitch" and confirms no overhaul of the Hotmail system is planned.
Gillian Kent, group marketing manager for MSN, is confident the Swedish hacking group claiming responsibility for the crack are the real culprits. "To our knowledge this was nobody internal. We will work with the local authorities to bring these malicious hackers to book. We see this as a glitch and it will not require Hotmail to be reconstructed." Kent, clearly exhausted by an early morning media blitz, denies there was anything "inexcusable" about Monday's events. "This could have happened to any email service. We've rectified the problem and the important thing is that people can feel confident in using Hotmail," she says.
This exploit, or variants of it, can still be found on a number of US and UK Web sites although shortly after it became common knowledge Monday afternoon, a number of these sites were removed.
Was this a "glitch"?
Do you feel confident in using Hotmail?
Tell the Mailroom