Internet

Web email bug bites the Net

Hotmail is working to plug a security hole that could make a monkey out of any Web surfer.

Hotmail is working to plug a security hole that could make a monkey out of any Web surfer.

The hole, thought to be common to all the Web-based email providers, permits one to create a piece of incriminating email that can be falsely traced to the victim's computer. The user doesn't even have to have an email account.

Such a trick could be a mere nuisance, or, in the case of spam, libel, or a death threat, could put the victim in legal jeopardy.

"The trick lets you forge an email from any person's IP address, just by tricking them into visiting a Web page," said the Bennett Haselton, who discovered the hole and demonstrated it using Hotmail. The founder of antifiltering group Peacefire, Haselton recently created a program to crack Net filtering software Cyber Patrol. (See related story)

Haselton's exploit uses JavaScript, a scripting language developed by Netscape Communications. A script is a set of commands normally executed without any action on the user's part. Scripts are useful for Web features like pop-up windows; but they also figure into a large proportion of security scenarios.

Both Haselton and Hotmail declined to provide more specific technical details on the security glitch in order to help prevent its exploitation.

Hotmail is testing a patch, which it plans to implement on Monday.

While Haselton created his demonstration using Hotmail--with more than 30 million users the leading free email provider--both he and Hotmail stressed that other Web-based emailers were likely to be vulnerable to the same problem.

Hotmail and other Web-based free email providers are not anonymous services. While users don't have to give their real names when they register, Hotmail logs and saves the Internet Protocol (IP) address of every computer from which mail is sent. Hotmail would then turn that information over to law enforcement in cases of suspected illegal activity.

"Hotmail passwords and accounts aren't at risk in this example," said Hotmail product manager Laura Norman. "But we're always really concerned with providing a safe environment for all Internet users, and that our service is used legitimately, so we took a look at this and prepared some modifications of our site that would block the ability to use Hotmail as a transport for this kind of malicious intent."

Norman also noted that someone pulling off such an exploit wouldn't go undiscovered for long, if an incident wound up being investigated.

"We have the IP history of who set up that account," Norman said. "From Hotmail's perspective, the perpetrator would be eminently catchable. But we're putting up a roadblock so you wouldn't be able to do this anyway."

Many Internet service providers, including some corporations, assign their users randomly generated IP addresses rather than fixed or static IP addresses. But the ISP maintains a log of what IP address goes to what computer at each session, so these users are still at risk.

Forged IP addresses--commonly used by spammers--also may call into question the reliability of IP addresses in general. But security experts note that, in order to forge an IP address, the forger must take advantage of a badly configured SMTP server, which sends the mail. Hotmail's SMTP servers are known to be well-configured.

The Web-based emailer is only a tool in Haselton's exploit. One Internet security maven suggested that any standard email reader, like Microsoft's Outlook, Netscape's Messenger, and Qualcomm's Eudora, could be used to pull off a similar stunt.

Richard Smith, of Phar Lap Software, has demonstrated similar JavaScript exploits on the Web. One sends a fraudulent email, one posts fraudulent newsgroup messages, and another posts fraudulent feedback to a Web site.

In one hypothetical scenario, this last exploit could be used to send a threatening email to the White House Web site, Smith observed.

"Web site server logs will give the IP address of the victim's computer, allowing for easy tracing of the threat," Smith said. "Proving that it was an email message that sent the threat and not the victim will be very difficult to explain to the U.S. Secret Service agents that come knocking at the door."

Smith, who demonstrated these holes last year, said email client vendors have not taken the problem seriously enough.

"I did bring this issue up with Netscape and Microsoft last year," said Smith. "I suggested that it is a bad idea for an email message to be able to automatically submit forms from an HTML email message and the feature should be turned off. It looks a big security hole to me, but I guess Netscape and Microsoft don't agree."