Hotmail, Excite have privacy hole
The firms' free email services are unwittingly revealing users' account names to other Web sites--giving spammers precious private data.
The addresses are exposed when Hotmail and Excite email users receive an email message containing a link to a Web site, CNET NEWS.COM has learned. When these Hotmail or Excite users click on the link, the Web site's "referral logs" record their email addresses.
By itself, this information may not mean much, and a Web site operator would have to plow through the site's daily server logs to harvest Hotmail and Excite email account names.
But to a direct marketer--such as the Net's notorious senders of unsolicited email--this information can be invaluable. The data could help unsolicited bulk emailers identify specific users of the free email services--helping spammers fine-tune their one-to-one marketing tactics and track the outcomes of their sales pitches.
When alerted that its referral headers were revealing customers' email addresses, a Hotmail spokeswoman couldn't immediately confirm the existence of the hole, but said the company would look into the matter.
An Excite executive confirmed that the hole existed, but said he doubted it affected many of the service's users in a negative way. Still, he told NEWS.COM the firm would quickly work to patch the hole.
"We acknowledge this as an issue. We don't think it is a big issue," said Adam Hertz, vice president of development at Excite.
"It's conceivable that it would enable a spammer," he added. "We will remedy the situation by removing the user name from the referral log. We want our users to have the most spam-free environment we can create for them."
The Hotmail hole was initially discovered by Jason Catlett, founder of Junkbusters, a site that offers tools to help people eliminate junk email and protect their online privacy. Further investigation of other free Web-based email services found that Excite also is leaking its users' email addresses to other Web sites.
Discovery of the hole is an ironic twist for the Hotmail because it has been diligent about canning spam. The company has won lawsuits against bulk emailers for abusing its service, and just today the company endorsed Rep. Chris Smith's (R-New Jersey) Netizens Protection Act to completely outlaw spam.
For Excite, this is the second security hole discovered in its increasingly personalized portal. Last month, it was uncovered that when shared computer users left their Excite start pages to travel to other parts of the Net, the addresses of their personalized pages also were recorded in server logs, giving unauthorized third parties access to a person's stock portfolio, news preferences, birth date, marital status, email address, and other details.
Hertz said this problem has not yet been fixed.
In the case of Hotmail, its numerical IP address and the user's name is contained in a site's "referral" log. With Excite, "mail.mailexcite.com" appears in the string along with the user's account name. These logs tell Web sites where their traffic is coming from--which explains why the hole is found in free Web-based email accounts.
"The most obvious danger here is that spammers can use it to find out exactly who clicks through to the sites that they spam for," Catlett said.
"But it could also be used to scavenge email addresses from a site's server logs," he added. "There's no practical way for people who have been exposed in this way to go back and remove their addresses from those logs, even if they could remember where they have been."
Spammers, who often send get-rich quick offers or advertisements for pornography, could monitor Hotmail and Excite recipients to see if these email users bit the bait by going to a site pitched in a spam message. In the case of adult entertainment sites, for example, simply delivering traffic can be a lucrative venture. Spammers and other Web site owners often are paid for each visitor they supply to an adult content site.
These marketers also could use this unique information to send people more spam about topics or products in which they have shown interest. This unique data also could help determine whether it is true that "email marketing works," as many spam messages assert these days.
Overall, this type of unsolicited marketing annoys most people, which is evident by the public and regulatory backlash against spam.
"If [the privacy hole] is a reality [and is exploited], it's an unfortunate side effect of the overall problem of spam," the Hotmail spokeswoman said. "And efforts like the Smith bill will hopefully diminish the larger problem of unsolicited email."
Using his server logs, Catlett launched a tool today that lets any Net user confirm whether his or her Web-based email account information is revealed when they link to a site address from an email message .
He said Hotmail and Excite users should consider the offline implications of their email addresses being passed to third parties in this fashion. Once unique Net users are being tracked this way, he said, it is possible for a marketer to try and match their email address to a postal address or to generate banner ads based on their proven interests every time they visit a site.
Catlett said the problem could be eliminated if Hotmail and Excite changed the way they present referral information by hiding certain data so that it doesn't reveal the email addresses.
Of course, any Web site that sends email to Hotmail and Excite users could exploit this information. But based on political pressure and regulatory threats, many of the Net's most popular sites are starting to adopt privacy policies that state they will not track visitors based on their unique identities or that if they do this, they will not share the data with third parties.
For example, the more than 50 companies that make up the new Online Privacy Alliance have promised to let online consumers choose how their personal information may be used (including a choice to opt out), and to take measures to prevent the misuse of personal information when given to third parties. Members of the alliance include Microsoft, America Online, IBM, and Hewlett-Packard.
Still, these plans were criticized at a Commerce Department summit last week for lacking clear enforcement mechanisms.
By passing account users' names on to Web sites, Microsoft's Hotmail and Excite may be in violation of their privacy policies.
Hotmail states that it will share member information in aggregate form, but that it will not disclose a member's name, mailing address, email address, account, and phone number without permission.
Excite, which is a member of Truste, could have covered its liability for the apparent breach because it states that it will never "willfully" disclose information about its customers to any third party without permission.
Hertz said the hole was not a breach of Excite's policy.
"We didn't know about this until today," he said. "I would actually dispute that it's a violation of our privacy policy, but the potential for nuisance is there."