Mirosoft patches Hotmail security flaw

Microsoft on Hotmail hole: D'oh!Microsoft says it has fixed a security hole that left millions of Hotmail users exposed on the Internet -- but it may not be able to repair the public relations damage sure to follow.
Written by Lisa M. Bowman, Contributor

The private accounts of millions of Hotmail users were left exposed for hours, after several Web sites exploited a security hole in Microsoft software. (See full story.)

The Web sites let anyone read, send or delete mail from an account simply by typing in a user name. No password was required. Microsoft took its Hotmail servers down Monday morning after learning of the problem from the European press (several of the sites originated in Europe). By late morning, Microsoft said it had plugged the hole and promised that future attacks would be prevented.

Some readers sent messages to ZDNet Monday afternoon saying they could still raid people's accounts, but security experts said that's because Microsoft is going from server to server, fixing the problem. With 40 to 50 million users, Hotmail is the largest email service.

The hack apparently exploited a glitch that let Hotmail accept users as valid without cross-checking the URL that referred them to the site. A Microsoft spokeswoman said she didn't think people really cared how the security hole was exploited, only that the hole had been fixed to prevent future breaches. She said the hack required a "very advanced knowledge of Web development language".

However, several computer experts said the code that took advantage of the Hotmail hole -- code that's been posted on hacker sites -- was actually quite simple. "It's trivial. It's just some HTML code," said Richard Smith, security expert and president of Phar Lap software, who was instrumental in catching the creator of the Melissa virus.

Jay Dyson, a computer systems specialist in Pasadena, called the code "pathetically easy" to write. What's more, exploiting the hack to view someone's account doesn't require any computer proficiency -- only a browser and the ability to type in a user name. "The script is so trivial, I would be inclined to believe that this has been in the wild for a long time," Dyson said.

Code is considered "in the wild" when it's passed among hackers without actually being exploited by users. But apparently some found this code too compelling to resist, so they posted sites that let users spy on other people's accounts.

One of the earliest sites to exploit the bug was registered to Stockholm, Sweden-based Moving Pictures. In an email exchange with ZDNet News, Erik Barkel, the person listed on Network Solutions as the administrator said: "I got credit for something I didn't do. I didn't code. I did put up a mirror." After the Hotmail hack site was taken down, the URL registered to Moving Pictures was directing people to a variety of sites, including Microsoft's own security page and a rant about Internet standards and date-related software problems.

Microsoft said it had no immediate plans to notify users that their Hotmail accounts may have been read. Callers to Hotmail's technical support line were greeted with waits as long as 20 minutes. Technical support people were telling users that discarded Hotmail messages would still be in the trash, and documents that had been read would be marked as such.

Computer consultants and security experts hoped the move would be a wake-up call for consumers to demand more secure software. "Basically the consumers are going to have to start asking for better security or Microsoft's not going to see it as a big problem," B.K. DeLong, a computer consultant, said. He said until users do that, Microsoft isn't going to make security a priority.

"It's just another example of large software companies doing reactive bug fixing rather than proactive bug fixing," he said. "It's very frightening."

Editorial standards