As Hotmail cleans up after a widely publicized security problem, other free email providers are struggling to plug a host of similar, newly recognized holes.
Yahoo Mail, which uses its own proprietary technology, plugged its Java security hole hours after Specialty Installations posted its demonstration.
Sites that are vulnerable to the new Java applet exploit include Lycos Email, MailCity, Eudora Web-Mail, and MailExcite, according to Specialty Installations.
The Eudora mail service that is affected is Qualcomm's free Web-based service, not its popular desktop email application.
Hotmail is not vulnerable to the Java applet exploit. Nor is USA.net, which powers Netscape's WebMail, American Express's AmExMail, and USA.net's own NetAddress.
Metatags are capable of transporting users to a spoofed "timed-out" page that could fool them into disclosing names and passwords.
Far more sites than those listed by Specialty Installations are vulnerable to the present exploit. iName, which powers the listed Lycos Email, also powers more than 40 other free email sites, including those branded by InfoSpace, Switchboard, Standard & Poors, CBS Sportsline, CNN, Time Warner, AltaVista, Lexis-Nexis, the Oakland Raiders, and Lycos's search and directory sites for the United Kingdom, Germany, and Italy.
iName also will power free email for search and directory site Snap. That email service will launch in the third week of September, according to iName. (Snap is a joint venture between NBC and CNET: The Computer Network, publisher of News.com.)
"iName is aware of the metatags and Java applets issues and is currently working on a fix for those," said Peter Hamlen, vice president of software development at iName. "We also believe the problem is more pervasive than Because-We-Can's list of four problems suggests, and we are coming up with a more complete solution."
Hamlen said iName would release its fix on Monday. He said it would include filters for browser plug-ins such as Macromedia's Flash as well as Microsoft's ActiveX controls and VBScripts, all of which could be accomplices in a Trojan horse attack.
Other sites with WhoWhere-powered email include ZDNet, TheGlobe.com, NetNoir, and the Oakland Athletics.
Specialty Installations' Cervenka said, as he has on the subject of his other exploit, that he designed the present one to warn companies and the public about the security hazards of Web-based email.
"We're not trying to use this as an illustration that there's a problem with Java applets in general, but rather that there's a problem with the user interface or filtering design of the Web-based email services," Cervenka said. "I think once people see this chart we made, they will have a good idea of how good the players are. There are some strong ones, some that are totally vulnerable, and some in-between. It's a nice spread."