Expert: Hotmail hole likely started in Sweden
By Robin Lloyd
August 31, 1999
(CNN) -- A breach that cracked the privacy of millions of Hotmail users likely originated in Sweden and traded on a Microsoft bug and a simple, innocent program written by a New Jersey man to save himself e-mail log-in time, a computer expert said Tuesday.
"It's simply a bug at Hotmail servers," said Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts. Smith is a computer security specialist who helped track the author of the "Melissa" virus earlier this year.
The breach came to light in the pre-dawn hours of Monday, and Microsoft, which owns the Web-based e-mail service, said it was entirely eliminated by that late afternoon.
The bug was there to exploit for many months and allowed users to log in without a password in certain circumstances at multiple Hotmail servers, Smith said.
Somebody eventually found the bug, possibly via a timesaving program written more than a year ago and posted on the Internet by Michael Nobilio, Smith said.
But it is still unclear who found the bug first.
"My theory is someone noticed you could type in any password," Smith said.
A group called Hackers Unite reportedly has claimed responsibility for the breach, which worked much like Nobilio's program but operated initially through a Web site based in Sweden showing a log-in screen for Hotmail.
Users then only had to enter a Hotmail username to gain access to anyone's account. No password was needed but users could read messages and send messages while assuming another's identity. But the evidence points to a link between Nobilio's program and the Swedish Web site.
"I looked at the URL that (Nobilio's) script will generate. It's identical to that which the Web site in Sweden was generating. There are too many coincidences there," Smith said.
Still, it is uncertain where exactly the breach originated, he said. It could be Hackers Unite, reportedly comprised of seven Americans and a Swede, or it could be someone else, Smith said.
Nobilio said he wrote the Hotmail log-in program as a convenience to save the time it takes to repeatedly log on to Microsoft's service.
"I'm in a little bit of shock right now," Nobilio said after he learned that he had been credited Monday as a responsible party by an online computer news service. "This story is entirely fiction."
It was unclear if new code would arise Tuesday or another day, defeating Hotmail's promise of renewed privacy for its 40 million subscribers. Hotmail sent out e-mail Tuesday, reassuring its clients of their privacy.
Nobilio's program involved simple Java script that saved his username as a "cookie" on his personal computer so he didn't have to type his username repeatedly throughout a day of rechecking his Hotmail. The program provided no access to his password, he said. He had to type that in.
"It was totally harmless. It was just a time-saver, that was it," he said.
It is likely that the breach was created by trading on Nobilio's program, Smith said. The breach lasted several hours and forced Hotmail to take down its service for two hours Monday.
Hackers have known various ways to crack into Hotmail for some time.
The breach on Monday was the most serious and came in two waves, with the second simply providing a more direct route to the password-free log-in door to Hotmail.
In both cases, the breach was made by someone who took advantage of Hotmail log-in or "start" script. The manipulation of that type of script, called CGI or Common Gateway Interface script, allowed a user to slide into a Hotmail account sans password.
Microsoft put the blame for the incident at the hands of hackers, not coders who failed to close security loops in their software.
Microsoft shut down the second wave of the breach just after 4:30 p.m. Monday.
Adam Arrowood, a computer research scientist at the Georgia Institute of Technology, said that absolute security is a tough hurdle when writing software for the Web.
Programs that run browsers connect to a server, get information and disconnect, rather than keeping a continuous link. That makes it hard for security applications to keep track of passwords and logins, he said.
"It's very tricky," he said. There is no one with more than three years of experience in the field.
"You have to be well-trained, highly caffeinated and alert when you are doing this," he said, "or there will be ways around security measures that you attempt to put in."
Status of Hotmail privacy unclear
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.