Cookies cap Hotmail security hole
The free email service says it will mandate the use of cookies in order to plug a newly discovered security bug.
MSN Hotmail, Microsoft's free, Web-based email service, authenticates its users in one of two ways. Hotmail servers can either check a cookie placed on the user's hard drive or check the user's Internet Protocol (IP) address.
The security hole Hotmail plans to plug could make users who access Hotmail through a public terminal or other shared computer vulnerable to the prying eyes of subsequent users.
According to Sivakumar Nadarajah, a Chicago software engineer, account invaders can swap information found in old Hotmail URLs after digging them out of previous users' browsing history.
By replacing some of that information, the invader can access another user's account as long as that user is logged into Hotmail elsewhere. Logging out of Hotmail does not protect against the exploit.
Hotmail said it had caught the security problem during a routine security audit and was close to implementing its fix, which is to stop authentication by IP address and require the use of cookies.
The service noted that users currently can protect themselves against the exploit by opting for cookie-based authentication.
Cookies have inspired some criticism from privacy advocates but remain common tools for many content and e-commerce Web sites, including other Web-based email services.
In other Hotmail news, Microsoft today announced a beta test of the already reported integration of Hotmail with Internet Explorer's Outlook Express email client software.
Microsoft announced the limited beta of an offline email management service that feeds Hotmail messages into Outlook Express and synchronizes the online and offline accounts. Users who have downloaded the complete IE 5 can find the beta under the "Tools: Accounts: Mail: Add New Account" menu item. Microsoft said it would only accept a limited number of beta testers.
Microsoft isn't the first to offer offline Hotmail management. C-WebMail makes a product that does the same for both Hotmail and Yahoo.
Hotmail is emerging as one of Microsoft's hottest properties. The service claims more than 30 million users, and Microsoft chief executive Bill Gates recently said that desktop applications above and beyond email are headed for free, Web-based service.