New bugs plague free emailers

As Hotmail cleans up after a widely publicized security problem, other free email providers are struggling to plug a host of similar, newly recognized holes.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
Just as Microsoft's Hotmail cleans up after a widely publicized security problem, free email providers across the Web are struggling to plug a host of similar, newly recognized holes.

Specialty Installations, the Canadian networking solutions provider whose password-stealing demonstration first drew attention to Hotmail's security woes, today posted another demo aimed at Yahoo Mail. While the first demonstration used JavaScript to present a bogus "timed-out" page that could fool users into handing over user names and passwords, the new demonstration used a Java applet to accomplish the same thing.

JavaScript is a scripting language for the Web developed by Netscape Communications. Java is a full-fledged programming language developed by Sun Microsystems. The two languages are unrelated apart from their names.

Yahoo Mail, which uses its own proprietary technology, plugged its Java security hole hours after Specialty Installations posted its demonstration.

But other free Web-based email providers said today that the JavaScript and Java exploits are just a few of the security holes leaving their services vulnerable.

Sites that are vulnerable to the new Java applet exploit include Lycos Email, MailCity, Eudora Web-Mail, and MailExcite, according to Specialty Installations.

The Eudora mail service that is affected is Qualcomm's free Web-based service, not its popular desktop email application.

Hotmail is not vulnerable to the Java applet exploit. Nor is USA.net, which powers Netscape's WebMail, American Express's AmExMail, and USA.net's own NetAddress.

Specialty Installations has posted a chart listing which email services filter out JavaScript, Java applets, hidden JavaScript, and metatags, four elements that programmers can use to create so-called Trojan horses, or malicious exploits that masquerade as benign ones or insinuate themselves invisibly into the user experience.

Metatags are capable of transporting users to a spoofed "timed-out" page that could fool them into disclosing names and passwords.

Far more sites than those listed by Specialty Installations are vulnerable to the present exploit. iName, which powers the listed Lycos Email, also powers more than 40 other free email sites, including those branded by InfoSpace, Switchboard, Standard & Poors, CBS Sportsline, CNN, Time Warner, AltaVista, Lexis-Nexis, the Oakland Raiders, and Lycos's search and directory sites for the United Kingdom, Germany, and Italy.

iName also will power free email for search and directory site Snap. That email service will launch in the third week of September, according to iName. (Snap is a joint venture between NBC and CNET: The Computer Network, publisher of News.com.)

"iName is aware of the metatags and Java applets issues and is currently working on a fix for those," said Peter Hamlen, vice president of software development at iName. "We also believe the problem is more pervasive than Because-We-Can's list of four problems suggests, and we are coming up with a more complete solution."

Because-We-Can is a group within Specialty Installations devoted to nonprofit programming efforts. Web programmer Tom Cervenka, who goes by the alias Blue Adept, designed both the Java and the JavaScript demonstrations.

Hamlen said iName would release its fix on Monday. He said it would include filters for browser plug-ins such as Macromedia's Flash as well as Microsoft's ActiveX controls and VBScripts, all of which could be accomplices in a Trojan horse attack.

WhoWhere, whose Webmail technology powers MailExcite, MailCity, Eudora Web-Mail, and about 40 others, acknowledged that the JavaScript and Java applet security holes affected its sites and said it was testing a fix that would be ready within 24 hours.

Other sites with WhoWhere-powered email include ZDNet, TheGlobe.com, NetNoir, and the Oakland Athletics.

Specialty Installations' Cervenka said, as he has on the subject of his other exploit, that he designed the present one to warn companies and the public about the security hazards of Web-based email.

"We're not trying to use this as an illustration that there's a problem with Java applets in general, but rather that there's a problem with the user interface or filtering design of the Web-based email services," Cervenka said. "I think once people see this chart we made, they will have a good idea of how good the players are. There are some strong ones, some that are totally vulnerable, and some in-between. It's a nice spread."