MSN Hotmail, Microsoft's free, Web-based email service, authenticates its users in one of two ways. Hotmail servers can either check a cookie placed on the user's hard drive or check the user's Internet Protocol (IP) address.
The security hole Hotmail plans to plug could make users who access Hotmail through a public terminal or other shared computer vulnerable to the prying eyes of subsequent users.
According to Sivakumar Nadarajah, a Chicago software engineer, account invaders can swap information found in old Hotmail URLs after digging them out of previous users' browsing history.
By replacing some of that information, the invader can access another user's account as long as that user is logged into Hotmail elsewhere. Logging out of Hotmail does not protect against the exploit.
The service noted that users currently can protect themselves against the exploit by opting for cookie-based authentication.
Cookies have inspired some criticism from privacy advocates but remain common tools for many content and e-commerce Web sites, including other Web-based email services.
In other Hotmail news, Microsoft today announced a beta test of the already reported integration of Hotmail with Internet Explorer's Outlook Express email client software.
Microsoft announced the limited beta of an offline email management service that feeds Hotmail messages into Outlook Express and synchronizes the online and offline accounts. Users who have downloaded the complete IE 5 can find the beta under the "Tools: Accounts: Mail: Add New Account" menu item. Microsoft said it would only accept a limited number of beta testers.
Hotmail is emerging as one of Microsoft's hottest properties. The service claims more than 30 million users, and Microsoft chief executive Bill Gates recently said that desktop applications above and beyond email are headed for free, Web-based service.