New Hotmail breach reported
September 14, 1999
(CNN) -- Microsoft has confirmed another breach in the company's free Hotmail service, coming just weeks after a more menacing hole left e-mail accounts wide open for anyone to read.
The new hole is more complex to execute but allows savvy users to send a message to Hotmail users which displays a false login screen. Once the Hotmail user enters his or her password, it's stolen and delivered to the other user, said Bulgarian security consultant Georgi Guninski, who found the hole.
"This specific tag is not one that we currently filter out," said Deanna Sanford, a lead product manager for Microsoft, referring to the STYLE tag, "and that is something we are currently looking in to now."
Richard Smith, a computer security specialist who helped federal investigators track down the author of the Melissa e-mail virus, said the bug was less troubling than the Hotmail hole that was open for several hours and came to light August 30.
"This problem is not as serious as the last Hotmail problem but still pretty interesting," said Smith, president of Phar Lap Software in Cambridge, Massachusetts.
The earlier hole caused Microsoft to take down its free e-mail service for a couple hours. The breach was closed by the day's end.
Microsoft confirmed the newest breach Tuesday and said it has installed some filters in years past to take out particular coding tags in order to provide better security for users.
Microsoft, which received no reports of e-mail break-ins from Hotmail users, hesitates to take that measure, she said.
"I am pretty sure it is also possible to read user's messages, to send messages from a user's name and (do) other mischief," Guninski wrote.
The hole resembles similar problems found with other Web-based e-mail services, eBay and Web anonymizing services, Smith said.
Guninski has found dozens of security holes in software, especially in Netscape and Internet Explorer, the two most popular Web browsers.
Gulinski puts the responsibility for this hole squarely on Microsoft's shoulders.
"This is not a browser problem, it is Hotmail's problem," Gulinski wrote.
An outside audit of Hotmail announced Monday will not address the breach that came to light Tuesday, Sanford said, because the auditors plan to review the August 30 breach and Microsoft's response to it, not all security concerns with Hotmail.
The bug failed to allow access to others' Hotmail accounts later in the day, Sanford said.
Following security debacle, Microsoft to get outside audit of Hotmail
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.