CNET también está disponible en español.

Ir a español

Don't show this again


Critical Path oversight exposes NSI email

The email hosting provider acknowledges a serious security hole that compromised accounts within services offered by a number of customers, including Network Solutions.

Email hosting provider Critical Path has acknowledged a serious security hole that compromised accounts within services offered by a number of customers, including Network Solutions, the dominant domain name registrar.

The hole is similar to one that plagued Microsoft's Hotmail last month by allowing access to a user's account without requiring a password first. The more recent breach, which Critical Path confirmed yesterday, comes as Network Solutions (NSI) is offering new services such as free email to hold on to customers who may be lured away by new competitors.

Critical Path, which provides behind-the-scenes resources for activating accounts on NSI's new service, said the problem affected other free email clients but declined to name them.

"Critical Path immediately took steps to resolve the issue, including disabling sign-ups for affected customers," said Steve Eldridge, a spokesman for Critical Path. "Critical Path is proactively working to improve security related to the sign-up process. We expect to have this completely resolved within 24 hours."

The security breach is the latest in a list that demonstrates the vulnerabilities of some Internet communications. About 40 million accounts on Hotmail were left exposed last month because of a bug in the service's login feature.

Other privacy risks include a host of software bugs in browsers built by Microsoft and Netscape, as well as cases in which companies such as Butterball and Nissan inadvertently disclosed customer information online.

Critical Path's service allows free email providers to automate the process of registering new users. After activating an account, Critical Path would allow the user to access it simply by clicking on a hyperlink. But because of an oversight in the way the San Francisco company set up the service, according to a security expert, Web users could access any NSI email account simply by modifying a few characters in the hyperlink address, which some security experts say is easy.

"It's not some sophisticated security scheme that someone bypassed," said Aviram Jenik, general manager at Israeli-based Securiteam. "It's a careless mistake in the design of the system." Jenik said he sent email alerting NSI to the problem last Saturday. NSI said it discovered the problem yesterday.

NSI, which until recently was the sole registrar of Internet domain names ending in ".com," ".net," and ".org," has been searching for ways to hold onto its sizable customer base as new competitors enter the market. The company's free email service, launched early this year, is designed to give customers an incentive to stay with the registrar.

NSI had already come under fire last week for establishing email accounts for its customers and then sending them the passwords in unencrypted emails. Critics also said the passwords were easy for third parties to guess. That problem, however, only allowed third parties to activate an account and masquerade as a particular user. The Critical Path problem, by contrast, could have exposed any email sent or received by a user.

NSI spokeswoman Cheryl Regan said it was too early to say what the company would do with the new service. "We're going to look at the responses we've gotten and consider future communications," she said. "We're factoring in every response we've gotten."

Critical Path has about 250 clients, but about 62 percent of its revenues come from just two companies--E*Trade and Verio--according to a recent filing with the Securities and Exchange Commission. Representatives from those companies were not immediately available for comment.