Hotmail hole exposes free email accounts
Although Microsoft says it has patched a security hole in its MSN Hotmail free email service that let anyone access users' accounts without a password, tests of the program prove otherwise.
The second security hole of the day appeared midmorning and was not fixed until about 1:45 PT.
Security experts said that where there are two password holes, there are likely more, and they criticized Microsoft's decision to quickly say the breach had been fixed.
Microsoft initially pulled Hotmail offline for about two hours early this morning after being alerted that two Web sites, one in the United Kingdom and one in Sweden, allowed anyone to access any Hotmail account without a password. Would-be Hotmail pirates needed only know a username to get in.
The Web sites exploited a weakness in the login script for a particular Hotmail server. The problem reappeared because Microsoft failed to fix another server, said Deanna Sanford, MSN lead product marketing manager.
Several CNET News.com readers confirmed that the Web sites allowed access to Hotmail accounts without a password. They also pointed out the second security problem.
A Microsoft spokesperson initially claimed hackers accessed the "Hotmail servers through specific knowledge of advanced Web development languages." But security experts disagreed.
"This obviously doesn't require detailed knowledge of Web development languages to exploit," said Ian Goldberg, chief scientist at Zero-Knowledge Systems. "Basically, this URL is like walking up to a guard and saying, 'I'm so-and-so. That other guard over there already checked my ID,' and having him wave you in."
The amount of access would depend on the account configuration. In some cases snoopers can only see a list of messages, security experts said. In other cases, they can take complete control of the account.
Following the discovery of the second security hole, Microsoft acknowledged this was a Hotmail server problem but still laid the blame on hackers.
"It was a hacker or group of hackers that took advantage of that and exposed that," Sanford said.
According to the source code of the U.K. Web page, the "Hotmail Login ID Storage Program 1.1" was written by Michael Nobilio on June 7, 1998.
Initial blame fell on the author of the login used by the Web pages in Sweden and the United Kingdom, but security experts pointed out that script had been modified.
The login program is widely distributed and was not designed to bypass normal Hotmail authentication, security experts said.
"What?s going on here is that it's an old login script, and this is not currently how you log in to Hotmail," speculated Richard Smith, president of Cambridge-based Phar Lap Software. "I think that someone just noticed that you could type in a wrong password and get in."
But would-be Hotmail pirates did not require access to the Web sites to bypass passwords. They needed only the complete Web address for the Hotmail server, including the login portion. Changing "username" to a person's Hotmail login name would go to the account without using a password.
Microsoft over the weekend updated its Hotmail servers as part of its Passport launch. Passport, an e-commerce online service and Web portal, brings all of a user's login accounts and passwords together as one. Microsoft has touted the service as an easier way to access multiple Web accounts and to purchase goods and services over the Internet.
But security experts suggested it might not be coincidence the security holes appeared soon after update of Hotmail for Passport. Sanford flatly denied the problems had anything to do with Passport.
Still, the timing is bad for Microsoft, which faced an Internet Explorer security problem last week and another the week before affecting Office 97 and 2000.
Hotmail has suffered a number of problems, including outages and delays, but it is hardly alone. Although free Web-based email firms have been plagued with service problems, they remain one of the Web's most popular tools.