Hotmail hole still wide open

ALSO    Message Boards:    Online privacy    How do you define a hacker?    Sign up for the Computer Connection email service    For more computing stories

August 30, 1999
Web posted at: 4:17 p.m. EDT (2017 GMT)

By Robin Lloyd
CNN Interactive Senior Writer

(CNN) -- A breach in Microsoft's Web-based e-mail service is still an issue Monday even after the company announced that the Hotmail hole had been closed for good, with millions of accounts accessible to anyone.

The breach initially worked via several Web addresses, which prompted for a Hotmail username. Once a username was entered -- no password required -- the Hotmail account appeared and the mailbox was available.

Microsoft said it disabled those sites by mid-day Monday but hackers found new ways inside Hotmail code later in the day and posted a new Web address that bounced directly into a user's mailbox once a username was entered in a segment of the address.

"It seems like every hour Microsoft finds a hole and they close it. Then another hacker opens another hole," said Adam Bruce, a computer specialist who monitors user groups frequented by hackers.

"I have a Hotmail account," Bruce said. "This scares the heck out of me. Now anybody and their brother can read my mail."

The exact cause of a Hotmail security breach remained unclear.

The breaches early in the day and later allowed CNN Interactive to open all accounts it tested. But e-mail messages couldn't always be opened. The hole first was reported in the Swedish newspaper Expressen's Monday editions.

The breach allowed users to read and forward a member's old messages, read new messages and send e-mail in some cases under the name of the user -- assuming the member's identity.

Hotmail, which reportedly has had trouble with security breaches in the past -- including a different breach that allowed hackers to swipe passwords -- boasts 40 million subscribers. The free Hotmail service was down for an hour Monday morning to respond to the initial situation.

"It was apparently a problem where a malicious hacker with specific knowledge of advanced Web development language was able to gain access to the servers," according to a Microsoft statement.

Microsoft said at mid-day that it introduced code Monday to prevent future attacks and all its servers were up again after the morning shutdown. All Hotmail users would receive e-mail from the service notifying them of the situation, a Microsoft spokeswoman said.

When the new Web address became known, Microsoft was not available for immediate comment.

Richard Smith, a computer security specialist, said the fault for the security lapse may lay with Microsoft.

"It looks like a bug at the Hotmail servers," said Smith, president of Phar Lap Software Inc. in Cambridge, Massachusetts. "They are logging in through some sort of back door."

Smith said the back door might have been through a new service Microsoft released this weekend called Passport. That service allows the use of Hotmail usernames and passwords to log into other Microsoft Network services.

Shortly after CNN Interactive posted an initial story about the breach, one of the sites was changed to a simple message, "Microsoft rules." Shortly after that, the URL redirected the user to a site for a new Web company. Later, it redirected users to a Microsoft security screen or returned an error message.

Other sites - situated all over the world but all using the same Hotmail gateway program -- first provided access without a password but later returned "Forbidden" messages.

Ari Schwartz, a policy analyst with the Center for Democracy and Technology, said the security hole in Hotmail was troublesome because Web-based e-mail is a good privacy solution for people sending personal e-mail at work. But no e-mail is totally secure, he said.

"There is a question of how secure you can make any e-mail system," Schwartz said, "especially if people are trying to hack it all the time."

At this point, there is no legal precedent to protect e-mail users from privacy violations, said David Sobel of the Electronic Privacy Information Center.

"It's not clear that a Hotmail user whose privacy has been compromised really has any recourse against Microsoft for what might be found to be negligent engineering of this feature," Sobel said.