Want CNET to notify you of price drops and the latest stories?
No, thank you Accept
X
Apple WWDC: What We ExpectBest Mattress DealsAssessing Viral Sleep HacksNetflix Password SharingMeal Subscription vs. TakeoutBest Solar CompaniesVerizon 5G Home InternetBest Credit Cards

BellSouth stamps out email bugs

The firm plugs a variety of security bugs that plagued its Web-based email service, powered by Bigfoot.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
See full bio
Paul Festa
2 min read
BellSouth spent the morning plugging security holes in its free Web Mail Service.

Powered by Bigfoot, BellSouth Web Mail this week discovered a number of security bugs. The first group of these consist of password-stealing Trojan horses, or malicious exploits that insinuate themselves invisibly into the user experience. They are the same variety that plagued Microsoft's Hotmail and dozens of other freemailers this week.

The other type of bug BellSouth took care of this morning had to do with the way Bigfoot's Webmail technology tracks users' identities as they go from page to page. Bigfoot tracks its users with what is known as a "referer page," which includes user names and encrypted passwords.

The security problem resulted from the fact that the URL for these pages was showing up on third-party server logs of sites that users visited directly from their BellSouth Web Mail accounts. If the administrator for that third-party server cut that URL from the server log and pasted it into a browser window within the time limits that Webmail services normally impose on sessions, that administrator would have full access to the mail account.

Bigfoot patched this second bug by implementing a system of identifying users not only by name and password, but also by the Internet protocol address of the computer they use to log on for a given session. By checking for the IP address, the system prevents a third-party computer (which has its own distinct IP address) from accessing the account.

"Before today we didn't define the user from a physical location," said Monty Faidley, business development manager for Bigfoot. "Now, by specifiying the user's location, by checking the user's IP address, we have fixed the bug."

Faidley stressed that no incidents of malicious activity involving either type of security hole had been reported.

BellSouth and Bigfoot became aware of the problem after bug reports were posted on the Internet. One such report was posted Tuesday to "bugtraq@netspace.org" by Leonid Knyshov, a consultant with Crashproof Solutions.

BellSouth is the only company that licenses Bigfoot's Web mail technology, according to Bigfoot. Bigfoot is in negotiations with other potential partners.