Skip to main content
ad info

 
CNN.com technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Hotmail, Yahoo scramble after email security flaws exposed

May 10, 2000
Web posted at: 5:24 p.m. EDT (2124 GMT)

(CNN) -- An Internet civil liberties organization said it discovered two serious security problems that would allow hackers considerable access to user accounts of several popular free Web-based email services like Hotmail and Yahoo!

The potential breaches seem to have been addressed by Wednesday afternoon, according to Peacefire.org and both companies.

Bennett Haselton of Peacefire.org said Wednesday that he found a "backdoor" in Hotmail that would let someone break into an account by sending a user an email with a malicious attachment that he designed.

When users view the attached HTML file, the cookies in the Hotmail domain could be "intercepted and sent to a hostile site," said Haselton, a freelance programmer in Seattle.

Because Hotmail uses the cookies to identify the user, "anyone who received them could log into Hotmail as that user," allowing them to read, delete and send mail from the account, he said.

A spokesperson for Microsoft Corp., which owns the email service, said "Hotmail has already implemented a fix on all of its servers."

Hotmail service was briefly unavailable to users during the repair. "This was done in the interest of user security. To the best of our knowledge, no user was affected," she said.

  MESSAGE BOARD
 

Haselton said Hotmail was not vulnerable to a deception that hackers could use to steal passwords from users of email services like Yahoo! and USA.NET.

The ruse offers false "Reply" or "Delete" buttons that forwards to a bogus but seemingly legitimate Yahoo! Mail window, which indicates the session timed out and requests the an unwitting email reader to re-enter a password.

The user continues reading email messages, but the password is sent to a hostile site, said Haselton, who announced the discovery on Tuesday.

"It's easy to figure out how the Yahoo! mail HTML interface is formatted, so in your HTML message, you just insert your own bottoms, tables. Etc. to look exactly like the bottom half of the real Yahoo!-message," he wrote on the Peacefire.org Web site.

Both Yahoo! and USA.NET said they implemented modifications within hours to prevent someone from using the exploit.

Haselton said his discoveries and revelations of these and other security glitches in Internet email services and browsers provide a valuable public service to Web companies.

"They are grateful when people find these problems. It helps the improve their security."

When asked if that was the case, a Microsoft spokesperson laughed and said, "I don't think that's something I can talk to you about."



RELATED STORIES:
Keeping e-mail secure: No easy chore
March 1, 2000
Tack this on to Web e-mail security -- attachments
September 21, 1999
Status of Hotmail privacy unclear
August 30, 1999

RELATED SITES:
Yahoo!
Hotmail
USA.NET

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.