CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Free emailers scramble to gauge risk

In response to news that Hotmail passwords are vulnerable to theft, free email providers are rushing to determine if they also are at risk.

Hotmail may not be the only one with a security problem.

In response to today's news that Microsoft's free email service was vulnerable to a JavaScript exploit, free Web mail providers are scrambling to determine if their services are similarly at risk.

The vulnerability stems from the fact that Hotmail does not filter out JavaScript sent to its users. As a result, it is possible to send malicious code designed to collect user names and passwords from unsuspecting users. Canadian networking solutions reseller Specialty Installations posted a demonstration of the exploit this morning.

Specialty Installations disclosed the security breach in part to pressure Hotmail into filtering out JavaScript code from incoming mail. Hotmail says it is working on a fix and is considering that solution, among others.

Three sites known to be taking measures against the JavaScript menace are USA.net's NetAddress, Netscape Communications' WebMail, and American Express's AmExMail. All three sites are powered by USA.net, which tonight is in the process of blocking all incoming JavaScript code.

"Right now we don't have anything that prevents users from receiving JavaScript," said Danny Winokur, vice president of business development for USA.net. But Winokur noted that his engineers had not yet determined definitively that the USA.net-powered sites were vulnerable to a similar exploit.

Ultimately USA.net wants to find a way to protect users against malicious exploits while continuing to allow them to receive JavaScript code, Winokur said. "We'd like to keep the feature richness of our service without exposing users to this kind of a risk," he said.

Qualcomm's Web-based Eudora Web-Mail is testing its system to determine if it is at risk. When asked if users were capable of receiving JavaScript by email, EudoraMail product line manager Matthew Parks decline to comment.

Qualcomm, more widely known for its Eudora email software for the desktop than for the Web-based email under review today, recently had to address another security breach. But that problem affected the Eudora desktop product, not the Web service, Parks said.

As reported earlier, Yahoo Mail screens out JavaScript from incoming messages. MailExcite could not be reached for comment.