Bug bites free email services at MailCity, iVillage

WhoWhere representatives would not disclose how many people have registered for the company's MailCity service, nor would they estimate how many other accounts may have been at risk or how long the bug might have existed. Representatives for women's portal iVillage said the company has 4.9 million registered subscribers for its free email service, which it has outsourced to WhoWhere for about two years.

WhoWhere spokesman Brian Degonia confirmed the service had a problem but said the company received no complaints about security breaches until it was contacted Monday by CNET News.com. He said the problem was fixed by Monday night.

The breach, which allowed intruders to peruse email and send messages as though accounts were their own, serves as the latest reminder of pervasive security problems with free Web-based email services, security experts said.

The problem was first noticed by an iVillage customer last week. Alan Redpath, whose online moniker is "Geordie Al," said he noticed that the company's free email service allows Web sites to collect data that lets intruders enter password-protected accounts.

Access to the accounts was gained through a program called Site Meter, which some Web sites use to collect traffic data. If a person visited a Web page through a link embedded in an email received at his or her iVillage or MailCity account, the information recorded in Site Meter's referral log might have been used to take over the account.

Security issues with Web site traffic counters are not new. Microsoft's free email service, Hotmail, fixed a bug allowing similar unauthorized access more than a year ago.

Security consultant Richard Smith, who has tracked down numerous online security and privacy bugs, said the problem stemmed from WhoWhere's verification procedures, which check a person's login and password information.

"This kind of thing is normally prevented by a cookie that checks to see if the person is logging in from the right computer," he said. "Instead, WhoWhere puts the login information in the (Web address)," where it can be captured by an outsider.

A cookie is an electronic tag placed on a computer's hard drive to facilitate Web browsing activities.

Degonia confirmed that the service does not use cookie authentication and includes login and password information in Web addresses, or URLs. But he said the service uses other security measures to address the authentication problem. He explained that the company uses proxy servers to keep session information such as login names and passwords out of the wrong hands.

Smith said today that WhoWhere had fixed the problem, but he offered a caveat.

"They need to figure out every possible way a leak can happen," he said. "It looks like they found one this week. But that doesn't mean they won't find more in the future."