|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Hotmail, Yahoo scramble after email security flaws exposed
(CNN) -- An Internet civil liberties organization said it discovered two serious security problems that would allow hackers considerable access to user accounts of several popular free Web-based email services like Hotmail and Yahoo!
The potential breaches seem to have been addressed by Wednesday afternoon, according to Peacefire.org and both companies.
Bennett Haselton of Peacefire.org said Wednesday that he found a "backdoor" in Hotmail that would let someone break into an account by sending a user an email with a malicious attachment that he designed.
When users view the attached HTML file, the cookies in the Hotmail domain could be "intercepted and sent to a hostile site," said Haselton, a freelance programmer in Seattle.
Because Hotmail uses the cookies to identify the user, "anyone who received them could log into Hotmail as that user," allowing them to read, delete and send mail from the account, he said.
A spokesperson for Microsoft Corp., which owns the email service, said "Hotmail has already implemented a fix on all of its servers."
Hotmail service was briefly unavailable to users during the repair. "This was done in the interest of user security. To the best of our knowledge, no user was affected," she said.
Haselton said Hotmail was not vulnerable to a deception that hackers could use to steal passwords from users of email services like Yahoo! and USA.NET.
The ruse offers false "Reply" or "Delete" buttons that forwards to a bogus but seemingly legitimate Yahoo! Mail window, which indicates the session timed out and requests the an unwitting email reader to re-enter a password.
The user continues reading email messages, but the password is sent to a hostile site, said Haselton, who announced the discovery on Tuesday.
"It's easy to figure out how the Yahoo! mail HTML interface is formatted, so in your HTML message, you just insert your own bottoms, tables. Etc. to look exactly like the bottom half of the real Yahoo!-message," he wrote on the Peacefire.org Web site.
Both Yahoo! and USA.NET said they implemented modifications within hours to prevent someone from using the exploit.
Haselton said his discoveries and revelations of these and other security glitches in Internet email services and browsers provide a valuable public service to Web companies.
"They are grateful when people find these problems. It helps the improve their security."
When asked if that was the case, a Microsoft spokesperson laughed and said, "I don't think that's something I can talk to you about."
Keeping e-mail secure: No easy chore
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.