Free Email Providers Guide -
Posty Let PostyTM, the Free
Email Provider GuyTM,
find your ideal provider
   Home | Free Email Providers | Other Free eCommunications | Help/Info | FEPG Services | Corporate
   You are here: Home -> Help/Info -> News -> News Archive -> News Story

Another security hole in Hotmail
September 16, 1998, 9:50 a.m. PT

Microsoft's Hotmail has acknowledged a security problem with its Web-based email service that could compromise the accounts of users in corporate computing environments.

The current problem comes on the heels of a series of bugs that plagued Hotmail and other Web-based freemail providers last month.

Hotmail downplayed its own responsibility for the current problem, however, characterizing it as "largely a network security issue."

"It appears that if you're in an insecure network, behind a firewall with another user, that second user can 'sniff' the traffic, including the Hotmail URL or the cookie, as long as the first user is still logged onto the service," said Sean Fee, director of product marketing at Hotmail.

Fee was referring to the practice of "packet sniffing," or monitoring data as it passes through a network.

Fee said the intruder could access another account behind the same firewall in one of two ways.

One is to swipe the cookie, or the file that Hotmail places on the user's computer to identify that computer. Hotmail and other free email providers rely on cookies because computers in corporate or other network environments usually are assigned random IP (Internet protocol) addresses, rather than given one address per computer.

The other way is to steal the Web address, or URL, sent to and from Hotmail. By cutting and pasting that URL into a browser window before the victim's session expires, the intruder can access the account.

Hotmail's present security problem bears some resemblance to a hole BellSouth fixed last month. In that situation, the BellSouth Web mail URLs were showing up on the server logs of third-party Web sites that Web mail users visited directly from their accounts.

In this case, however, Fee stressed that only users in "insecure networks" were at risk.

The security hole also resembles problems in revealing users' Web mail addresses and other personal information that both Excite and Hotmail have faced. But in this case, intruders can not only glean addresses and information, but also gain complete control over the user's account, letting them read, delete, and send mail under the victim's name.

The problem is the subject of a Web page by Chee Mun Kean, a computer science student in Kuala Lumpur.

Both Fee and Chee recommended that users log out after completing their Hotmail sessions, because intruders can only take advantage of this problem if the account holder's session is still active. Hotmail sessions last two hours unless the user logs out or shuts down the browser.

Fee said Hotmail engineers were examining Chee's description of the problem.

"We will see if there are any appropriate steps that we can take to help minimize user risk," he added.

By Paul Festa
Staff Writer, CNET


New? Confused?
Start Here.

Full Site Search:
Powered by
Search our database for your ideal provider

Not from the U.S.?
Go to our listings by country.

Special Interests?
Check out our providers by category.

Information on how to get or improve free email on your site.

Posty's Notes
Messages from the Free Email Provider GuyTM.

Want Free Webspace?
Check out

FEPG Newsletter
Subscribe to our weekly newsletter.
  Book Store | Reviews | Message Boards | FAQ | Contact FEPG | Advertising Rates | Affiliate Programs  
Back to Top Copyright© Cole & Associates 1997-2001.
All Rights Reserved.

The Free Email Providers Guide makes every effort to ensure the accuracy of information presented on this site. However we make no warranty and cannot be responsible for any damages resulting from use of information from this site. Links to other websites are provided as a convenience and the Free Email Providers Guide is not responsible for the content, which is the sole responsibility of the website.

Christian Icthus fish symbol