ALSO    Message Boards:    Hotmail    Online privacy    How do you define a hacker?    Sign up for the Computer Connection email service    For more computing stories

By Robin Lloyd
CNN Interactive Senior Writer

August 31, 1999
Web posted at: 1:36 p.m. EDT (1736 GMT)

In this story: How it worked still a mystery 'You have to be well-trained, highly caffeinated and alert' RELATED STORIES, SITES

(CNN) -- A New Jersey man who wrote a simple program to save himself the time it takes to repeatedly log on to Microsoft's Hotmail said he had nothing to do with a breach that cracked the privacy of millions who subscribe to the Web-based e-mail service.

"I'm in a little bit of shock right now," Michael Nobilio said after he learned that he had been credited as a responsible party by an online computer news service. "This story is entirely fiction."

The breach came to light Monday and allowed users to open anyone's Hotmail account, as well as send e-mail under their name.

Microsoft said it fixed the problem later in the day, but it remained unclear whether new hacker code would surface Tuesday or another day, defeating Hotmail's promise of renewed privacy for its 40 million subscribers.

Nobilio's program was simple Java script that saved his username as a "cookie" on his personal computer so he didn't have to type his username repeatedly throughout a day of rechecking his Hotmail. The program provided no access to his password, he said. He had to type that in.

"It was totally harmless. It was just a time-saver, that was it," he said. It is still unclear if Nobilio's program had anything to do with the breach that lasted several hours and forced Hotmail to take down its service for two hours Monday.

A group called Hackers Unite has claimed responsibility for the breach, it was reported Tuesday by Wired News online.

Through a spokesman, the group said they announced the hole to the Swedish media over the weekend to make Microsoft look bad and show that its security could be defeated. The Swedish newspaper Expressen first reported the breach. Hackers Unite reportedly is comprised of one Swede and seven Americans.

Hackers have known various ways to crack into Hotmail for some time. What reportedly happened over the weekend is that hackers took advantage of a Hotmail login script.

Security expert Richard Smith said the problem likely came through a backdoor left open on Hotmail servers by Microsoft coders. Smith is president of Phar Lap Software in Cambridge, Massachusetts, and helped track down the author of the "Melissa" virus earlier this year.

Microsoft put the blame for the incident at the hands of hackers, not coders who failed to close security loops in their software.

The breach came in two waves Monday -- an initial opening came via several Web sites that Microsoft closed down by 11 a.m. and a second entrance through a Web address came to light in the mid-afternoon.

The second entrance seemed to take advantage of a CGI script on Hotmail servers that allowed a user to slide into a Hotmail account without using a password. Microsoft shut that down just after 4:30 p.m.

Adam Arrowood, a computer research scientist at the Georgia Institute of Technology, said that absolute security is a tough hurdle when writing software for the Web.

Programs that run browsers connect to a server, get information and disconnect, rather than keeping a continuous link. That makes it hard for security applications to keep track of passwords and logins, he said.

"It's very tricky," he said. There is no one with more than three years of experience in the field.

"You have to be well-trained, highly caffeinated and alert when you are doing this," he said, "or there will be ways around security measures that you attempt to put in."