ad info




CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN

 Headline News brief
 news quiz
 daily almanac

  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services

  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account

 DISCUSSION:
 message boards
 chat
 feedback

  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian

 FASTER ACCESS:
 europe
 japan

 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs

 WEB SERVICES:

Computing

New Hotmail breach reported

hotmail
MESSAGE BOARDS:
Hotmail

Microsoft
 

September 14, 1999
Web posted at: 2:53 p.m. EDT (1853 GMT)

(CNN) -- Microsoft has confirmed another breach in the company's free Hotmail service, coming just weeks after a more menacing hole left e-mail accounts wide open for anyone to read.

The new hole is more complex to execute but allows savvy users to send a message to Hotmail users which displays a false login screen. Once the Hotmail user enters his or her password, it's stolen and delivered to the other user, said Bulgarian security consultant Georgi Guninski, who found the hole.

Users could execute the breach by inserting a bit of JavaScript into an HTML "STYLE" tag into an e-mail message. JavaScript is a programming language for designing interactive Web pages.

"This specific tag is not one that we currently filter out," said Deanna Sanford, a lead product manager for Microsoft, referring to the STYLE tag, "and that is something we are currently looking in to now."

Richard Smith, a computer security specialist who helped federal investigators track down the author of the Melissa e-mail virus, said the bug was less troubling than the Hotmail hole that was open for several hours and came to light August 30.

"This problem is not as serious as the last Hotmail problem but still pretty interesting," said Smith, president of Phar Lap Software in Cambridge, Massachusetts.

The earlier hole caused Microsoft to take down its free e-mail service for a couple hours. The breach was closed by the day's end.

Microsoft confirmed the newest breach Tuesday and said it has installed some filters in years past to take out particular coding tags in order to provide better security for users.

Microsoft, which received no reports of e-mail break-ins from Hotmail users, hesitates to take that measure, she said.

"There are some good uses for certain JavaScript tags so we need to weigh the balance," she said.

The new bug worked through a JavaScript block that users could put in a Hotmail message. The Hotmail recipient executes the JavaScript if they use Netscape Navigator 4.0 or Internet Explorer 5.0, Guninski said in an e-mail he posted to a mailing list. There are slight variations in the JavaScript, depending on the targeted browser.

"I am pretty sure it is also possible to read user's messages, to send messages from a user's name and (do) other mischief," Guninski wrote.

The hole resembles similar problems found with other Web-based e-mail services, eBay and Web anonymizing services, Smith said.

Guninski has found dozens of security holes in software, especially in Netscape and Internet Explorer, the two most popular Web browsers.

Gulinski puts the responsibility for this hole squarely on Microsoft's shoulders.

"This is not a browser problem, it is Hotmail's problem," Gulinski wrote.

An outside audit of Hotmail announced Monday will not address the breach that came to light Tuesday, Sanford said, because the auditors plan to review the August 30 breach and Microsoft's response to it, not all security concerns with Hotmail.

Users with extreme commitments to security could block out all Javascript in their browsers, she said.

The bug failed to allow access to others' Hotmail accounts later in the day, Sanford said.


RELATED STORIES:
Following security debacle, Microsoft to get outside audit of Hotmail
September 13, 1999
Hotmail hack shows risks of Web e-mail
September 8, 1999
Business manager linked to prostitute through Hotmail hole
September 3, 1999
Hotmail exodus: to where?
September 1, 1999

RELATED SITES:
Welcome to Microsoft's Homepage
Hotmail - The World's FREE Web-based E-mail
Truste
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.