Microsoft glitch leaves IM contact lists vulnerable
The software giant is investigating complaints that its MSN Instant Messenger usernames and contact lists can be taken over through lapsed Hotmail accounts.
For the past week Microsoft has been "thoroughly investigating" a scenario in which expired Hotmail accounts are thought to provide an avenue for either malicious or unwitting appropriation of existing IM usernames and contact lists, according to a company representative. A recent complaint followed a general warning about the problem, which surfaced more than a year ago.
Hotmail suspends accounts that are idle more than three months and deletes those accounts after another three months elapse. James Nelson, a systems administrator for Cisco Systems, says he lost his Hotmail account because of inactivity, and when he created a new account with the same name, he found that his old IM contact list lingered with the cleaned-out account.
"If you use a Hotmail account to log into Instant Messenger and your Hotmail account gets canceled, your contact (or 'buddy') list does not get cleaned," Nelson said in a recent posting to the Bugtraq security mailing list. "If another person creates a Hotmail account using that name, they will have access to your contact list and will show up on any contact list you're a part of."
Security analysts don't fault Hotmail and other free email providers for deleting idle accounts; such practice is standard with free Web-based services. But some criticize Microsoft for failing to ensure that lapsed accounts do not pose opportunities for identity confusion or theft.
The glitch in question was the subject of a security critique posted to the Bugtraq mailing list more than a year ago when MSN launched its instant messenger.
"The program is using Hotmail as its user base," wrote software developer Dmitri Alperovitch, a founder of Encryption Software, which makes a product for encrypting instant messaging software, including MSN IM. "So, you might find yourself in a situation where you've been unable to access your Hotmail account for three months and someone else has registered your account and is impersonating you on MSN Messenger!"
Nelson said in an interview that he fell victim to the scenario twice--once when someone else registered a Hotmail account he had let lapse, and another time when he reregistered his own lapsed account.
Though he convinced the other party to delete his personal contacts, Nelson said the glitch could pose a serious privacy problem, depending on who had registered the abandoned Hotmail account.
"There are a lot of malicious people out there," Nelson said. "It's a privacy issue for them to be able to get all your contacts."