Microsoft under pressure for latest Hotmail hole

The company says it is still investigating a security flaw in the email service that allows hackers to read other people's emails
Written by Wendy McAuliffe, Contributor

Microsoft is under pressure to fix a security hole in Hotmail that allows hackers to access other people's emails -- in some cases even emails that have been deleted.

Less than a fortnight after the MSN Hotmail servers were infected by the malicious "Code Red II" worm, the email service has been hit by the latest hack to compromise its security. But Microsoft is insisting that the Hotmail flaw has not jeopardised any customer information, and calls the warnings 'hyped up'. The company said it is still investigating how the mechanism can be made more secure.

Information about the vulnerability was published on Saturday night by a group of computer security experts named Root Core. The hack requires specific knowledge of a target's username and password, as well as the exact time at which an individual email arrived, and its unique message ID -- comprised of a string of 10 to 11 numbers.

Root Core posted a scanning device on its site to automate the process of finding message IDs, but Microsoft is adamant that the complex nature of the exploit will prevent any widespread abuse, and said a successful hack would only allow the person to read a portion of an email. "A hacker would need to have complete control over a user session...and would have to conduct tens of thousands of attempts before they would hit on a valid message ID," said a Microsoft spokeswoman. "It's an extremely difficult thing to do, and the malicious user would effectively only be able to exploit their own mail," she added.

In addition to the message ID scanner, Root Core posted on its Web site detailed instructions for exploiting the hack, and noted that this type of hack allows an email to be read even after it has been deleted and the trashcan emptied. The group said it advised Microsoft of the flaw on Friday, but Microsoft denies this.

"It's another nail in the coffin for Microsoft's credibility when it comes to security" said Graham Cluley, senior technology consultant at antivirus firm Sophos. "Its software is so popular, so hackers are drawn to it -- it's not necessarily more vulnerable [than other email services]."

Hotmail is one of the world's largest free Web-based email services, with Microsoft claiming to have more than 110 million active accounts. But its notoriety for security breaches and outages will be more serious now that the integral components of Windows are closely integrated with Microsoft's Passport authentication system and Web-based services.

"The average man on the street isn't going to get targeted as they aren't using their Hotmail account for sensitive information," said Cluley. "But if they get paranoid they can switch to Yahoo!, or take their data offline."

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards