The problem came to light this morning after networking solutions reseller Specialty Installations posted a demonstration of it on the company's "Because We Can" Web site. That site is dedicated to not-for-profit work that the Canadian company's Web programmers produce.
Dubbed "Hot" Mail, the exploit is an email message containing a so-called "Trojan Horse" that alters the Hotmail user interface. In this altered interface, any command the user makes yields a bogus Hotmail "time expired" message asking the user to reenter his or her user name and password.
Once these are entered, the user returns to the standard Hotmail site. But the user name and password are on their way to the malicious coder, or, in the case of the demonstration, to Specialty Installations.
"It does appear to work," said Sean Fee, director of product marketing at Hotmail. "It appears to be a security breach within Hotmail. We are investigating its feasibility and scope, and we will fix it as quickly as possible. We have got a pretty significant team here working on this. Protecting our personal email users and their accounts is of paramount importance to us."
Free said Hotmail was considering a number of options, including the one Cervenka suggested. He would not specify alternate solutions, but did say that the company was working on a way to notify Hotmail users of the risk.
Hotmail currently has 22 million active users. Hotmail defines an active user as one who has used his or her account in the past 120 days.