Hotmail hole raises larger security issues
A security hole discovered yesterday in Microsoft's MSN Hotmail calls into question the free email service's practice of allowing users to log on from any Web page, security experts say.
Free email services, which users access from a Web browser, are hot commodities. Microsoft claims that more than 40 million people have signed up for Hotmail, and AOL estimates that nearly 20 million people use its Netscape Netcenter free email service.
While Netscape, Yahoo, and other free email services direct users to specific login Web sites, Hotmail allows users to access their accounts from any Web page. A simple login HTML form or Javascript, which appears on the Web page as a box for the username and password, is all that is needed. Many Web sites offer this service.
The more secure method would be to restrict access through the Hotmail home page, security experts said. Microsoft is not alone in this practice, but Hotmail's size makes it a particularly vulnerable target.
Yesterday's password hole is an excellent example of the method gone mad.
The Hotmail Login ID Storage Program 1.1, authored by Michael Nobolio, appeared in modified form on Web pages in the United Kingdom and Sweden. The modified version let users access any account without a password.
Security experts later concluded there was nothing unique about Nobolio's program. It apparently exploited a security weakness that appeared over the weekend when Microsoft upgraded its Hotmail servers.
Login programs typically call up a Web address, or URL, that launches a login process on the email server. If an email service makes changes on its servers that host thousands of Web pages, the login programs are not necessarily updated as well. Typically users would not be able to access their accounts using the program. But more serious problems, like yesterday's security hole, can occur.
"I think [login programs are] a big mistake, said Richard Smith, president of Cambridge-based Phar Lap Software. "If you log in from somebody else's Web page, they can equally bug the message to grab your username and password."
The program's author said the problem lies more with Microsoft's verification procedures. "Hotmail needs to check the username and password against a database to make sure they both exist," Nobolio said. "It sounds like this was not being done on the server at Hotmail, as a client [browser] can have no knowledge of 40 million-plus passwords stored on a server."
Microsoft said yesterday the Hotmail problem exploited a weakness in the login script for a particular Hotmail server. The problem reappeared because Microsoft failed to fix another server, said Deanna Sanford, MSN lead product marketing manager.
The only solution, said security experts, is to restrict login access to a central page.
Microsoft may have solved yesterday's security issue, but the login programs present another security problem.
One CNET reader demonstrated just how easy it is to exploit this kind of weakness. He pointed out that Javascripts for logging into Hotmail, Netcenter, and other free email services are widely available. Combined with a little knowledge of another programming language, Perl, a Web page author can steal the usernames and passwords.
The users would have to access their accounts through that Web page and not the main Hotmail site to be vulnerable.
"I wrote a simple five-line Perl script, and voila--it worked wonderfully on my test Hotmail account," the reader said. "You don't even know your account has been stolen."
Nobolio is dismayed at being a part of yesterday's Hotmail problem. He said he wrote his login program as a matter of convenience. "It was a timesaver and was quite useful, as I often checked my mail," he said.