Yesterday, an error in a setting for WebTV email servers resulted in some subscriber email revealing normally hidden user information--including an identification number that WebTV assigns to each subscriber. Critics said the flaw could potentially be exploited to terminate a customer's WebTV service, for instance--but Microsoft downplayed such concerns because of the limited scope of the problem.
The company said the only emails to reveal subscriber information were those returned back to the original sender, as the general WebTV mailbox was too full to accept more messages, the company said.
Still, the WebTV glitch comes at an inopportune time for the software giant. Microsoft has been scrambling to reassure its Hotmail email users of its commitment to security in the face of a recent string of bugs and snafus.
The most notable glitch, which brought the Hotmail system down on August 30, allowed even the most inexperienced of malicious Web hackers to easily access password-protected email accounts.
Microsoft subsequently said it had contracted with an outside auditor to assess its Web security.
Although MSN's Hotmail service and WebTV are two separate Microsoft properties, the two groups are expected to become more tightly integrated in the future. Plus, as e-commerce becomes more popular in general, many potential online customers are watching carefully to see how major companies treat user privacy, analysts warn. Snafus now may result in stunted online sales over the next few years, they say.
The email server problem, which also hit WebTV last November, was first reported on the Net4TV Web site.
"The first and obvious security concern with the exposure of user and subscriber IDs is the loss of anonymity that you may have," according to a report on the site. "But a more serious concern is the potential invasion of your WebTV account and private information, and even the ability for someone far away to target you and terminate your users or your service."
For its part, WebTV insists that user privacy wasn't compromised as a result of the glitch. Even if a malicious hacker could get access to subscriber identification numbers, he or she couldn't match the information to an email account or credit card number, said Bill Yundt, vice president of network operations for WebTV, in an email.
"WebTV is very concerned with the privacy and the security of its users and takes them seriously," said Yundt. "This oversight was corrected within hours of when WebTV was made aware of the problem.
"Unfortunately, a configuration error was made on one or two mail gateways, which resulted in the stripping code being ineffective," Yundt explained. "As soon as WebTV was notified that subscriber IDs were visible, the problem was diagnosed and repaired."