ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Expert: Hotmail hole likely started in Sweden

Hotmail graphic

   Message Boards:
   Online privacy
   How do you define a hacker?

   Sign up for the Computer Connection email service

   For more computing stories

By Robin Lloyd
CNN Interactive Senior Writer

August 31, 1999
Web posted at: 4:14 p.m. EDT (2014 GMT)

In this story:

New Jersey man denies responsibility

'You have to be well-trained, highly caffeinated and alert'


(CNN) -- A breach that cracked the privacy of millions of Hotmail users likely originated in Sweden and traded on a Microsoft bug and a simple, innocent program written by a New Jersey man to save himself e-mail log-in time, a computer expert said Tuesday.

"It's simply a bug at Hotmail servers," said Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts. Smith is a computer security specialist who helped track the author of the "Melissa" virus earlier this year.

The breach came to light in the pre-dawn hours of Monday, and Microsoft, which owns the Web-based e-mail service, said it was entirely eliminated by that late afternoon.

The bug was there to exploit for many months and allowed users to log in without a password in certain circumstances at multiple Hotmail servers, Smith said.

Somebody eventually found the bug, possibly via a timesaving program written more than a year ago and posted on the Internet by Michael Nobilio, Smith said.

But it is still unclear who found the bug first.

"My theory is someone noticed you could type in any password," Smith said.

A group called Hackers Unite reportedly has claimed responsibility for the breach, which worked much like Nobilio's program but operated initially through a Web site based in Sweden showing a log-in screen for Hotmail.

Users then only had to enter a Hotmail username to gain access to anyone's account. No password was needed but users could read messages and send messages while assuming another's identity. But the evidence points to a link between Nobilio's program and the Swedish Web site.

"I looked at the URL that (Nobilio's) script will generate. It's identical to that which the Web site in Sweden was generating. There are too many coincidences there," Smith said.

Still, it is uncertain where exactly the breach originated, he said. It could be Hackers Unite, reportedly comprised of seven Americans and a Swede, or it could be someone else, Smith said.

New Jersey man denies responsibility

Nobilio said he wrote the Hotmail log-in program as a convenience to save the time it takes to repeatedly log on to Microsoft's service.

"I'm in a little bit of shock right now," Nobilio said after he learned that he had been credited Monday as a responsible party by an online computer news service. "This story is entirely fiction."

It was unclear if new code would arise Tuesday or another day, defeating Hotmail's promise of renewed privacy for its 40 million subscribers. Hotmail sent out e-mail Tuesday, reassuring its clients of their privacy.

Nobilio's program involved simple Java script that saved his username as a "cookie" on his personal computer so he didn't have to type his username repeatedly throughout a day of rechecking his Hotmail. The program provided no access to his password, he said. He had to type that in.

"It was totally harmless. It was just a time-saver, that was it," he said.

It is likely that the breach was created by trading on Nobilio's program, Smith said. The breach lasted several hours and forced Hotmail to take down its service for two hours Monday.

Hackers have known various ways to crack into Hotmail for some time.

The breach on Monday was the most serious and came in two waves, with the second simply providing a more direct route to the password-free log-in door to Hotmail.

In both cases, the breach was made by someone who took advantage of Hotmail log-in or "start" script. The manipulation of that type of script, called CGI or Common Gateway Interface script, allowed a user to slide into a Hotmail account sans password.

Microsoft put the blame for the incident at the hands of hackers, not coders who failed to close security loops in their software.

Microsoft shut down the second wave of the breach just after 4:30 p.m. Monday.

'You have to be well-trained, highly caffeinated and alert'

Adam Arrowood, a computer research scientist at the Georgia Institute of Technology, said that absolute security is a tough hurdle when writing software for the Web.

Programs that run browsers connect to a server, get information and disconnect, rather than keeping a continuous link. That makes it hard for security applications to keep track of passwords and logins, he said.

"It's very tricky," he said. There is no one with more than three years of experience in the field.

"You have to be well-trained, highly caffeinated and alert when you are doing this," he said, "or there will be ways around security measures that you attempt to put in."

Insurgency on the Internet

Status of Hotmail privacy unclear
August 30, 1999
Federal agency recruits hacker teens
August 26, 1999
Anti-gay site goes back to rightful owners
August 23, 1999
Hackers, IT consultants embrace free security tool
August 13, 1999
Hacking group reveals IP-security glitch
August 13, 1999
Hacking your way to an IT career
August 13, 1999
Microsoft says "crack this!"
August 6, 1999

Phar Lap Software
The Center for Democracy and Technology
Electronic Privacy Information Center
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.