ad info
   personal technology

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



New Hotmail breach reported



September 14, 1999
Web posted at: 2:53 p.m. EDT (1853 GMT)

(CNN) -- Microsoft has confirmed another breach in the company's free Hotmail service, coming just weeks after a more menacing hole left e-mail accounts wide open for anyone to read.

The new hole is more complex to execute but allows savvy users to send a message to Hotmail users which displays a false login screen. Once the Hotmail user enters his or her password, it's stolen and delivered to the other user, said Bulgarian security consultant Georgi Guninski, who found the hole.

Users could execute the breach by inserting a bit of JavaScript into an HTML "STYLE" tag into an e-mail message. JavaScript is a programming language for designing interactive Web pages.

"This specific tag is not one that we currently filter out," said Deanna Sanford, a lead product manager for Microsoft, referring to the STYLE tag, "and that is something we are currently looking in to now."

Richard Smith, a computer security specialist who helped federal investigators track down the author of the Melissa e-mail virus, said the bug was less troubling than the Hotmail hole that was open for several hours and came to light August 30.

"This problem is not as serious as the last Hotmail problem but still pretty interesting," said Smith, president of Phar Lap Software in Cambridge, Massachusetts.

The earlier hole caused Microsoft to take down its free e-mail service for a couple hours. The breach was closed by the day's end.

Microsoft confirmed the newest breach Tuesday and said it has installed some filters in years past to take out particular coding tags in order to provide better security for users.

Microsoft, which received no reports of e-mail break-ins from Hotmail users, hesitates to take that measure, she said.

"There are some good uses for certain JavaScript tags so we need to weigh the balance," she said.

The new bug worked through a JavaScript block that users could put in a Hotmail message. The Hotmail recipient executes the JavaScript if they use Netscape Navigator 4.0 or Internet Explorer 5.0, Guninski said in an e-mail he posted to a mailing list. There are slight variations in the JavaScript, depending on the targeted browser.

"I am pretty sure it is also possible to read user's messages, to send messages from a user's name and (do) other mischief," Guninski wrote.

The hole resembles similar problems found with other Web-based e-mail services, eBay and Web anonymizing services, Smith said.

Guninski has found dozens of security holes in software, especially in Netscape and Internet Explorer, the two most popular Web browsers.

Gulinski puts the responsibility for this hole squarely on Microsoft's shoulders.

"This is not a browser problem, it is Hotmail's problem," Gulinski wrote.

An outside audit of Hotmail announced Monday will not address the breach that came to light Tuesday, Sanford said, because the auditors plan to review the August 30 breach and Microsoft's response to it, not all security concerns with Hotmail.

Users with extreme commitments to security could block out all Javascript in their browsers, she said.

The bug failed to allow access to others' Hotmail accounts later in the day, Sanford said.

Following security debacle, Microsoft to get outside audit of Hotmail
September 13, 1999
Hotmail hack shows risks of Web e-mail
September 8, 1999
Business manager linked to prostitute through Hotmail hole
September 3, 1999
Hotmail exodus: to where?
September 1, 1999

Welcome to Microsoft's Homepage
Hotmail - The World's FREE Web-based E-mail
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.