|Home | Free Email Providers | Other Free eCommunications | Help/Info | FEPG Services | Corporate|
|You are here: Home -> Help/Info -> News -> News Archive -> News Story|
Another security hole in Hotmail
The current problem comes on the heels of a series of bugs that plagued Hotmail and other Web-based freemail providers last month.
Hotmail downplayed its own responsibility for the current problem, however, characterizing it as "largely a network security issue."
"It appears that if you're in an insecure network, behind a firewall with another user, that second user can 'sniff' the traffic, including the Hotmail URL or the cookie, as long as the first user is still logged onto the service," said Sean Fee, director of product marketing at Hotmail.
Fee was referring to the practice of "packet sniffing," or monitoring data as it passes through a network.
Fee said the intruder could access another account behind the same firewall in one of two ways.
One is to swipe the cookie, or the file that Hotmail places on the user's computer to identify that computer. Hotmail and other free email providers rely on cookies because computers in corporate or other network environments usually are assigned random IP (Internet protocol) addresses, rather than given one address per computer.
The other way is to steal the Web address, or URL, sent to and from Hotmail. By cutting and pasting that URL into a browser window before the victim's session expires, the intruder can access the account.
Hotmail's present security problem bears some resemblance to a hole BellSouth fixed last month. In that situation, the BellSouth Web mail URLs were showing up on the server logs of third-party Web sites that Web mail users visited directly from their accounts.
In this case, however, Fee stressed that only users in "insecure networks" were at risk.
The security hole also resembles problems in revealing users' Web mail addresses and other personal information that both Excite and Hotmail have faced. But in this case, intruders can not only glean addresses and information, but also gain complete control over the user's account, letting them read, delete, and send mail under the victim's name.
The problem is the subject of a Web page by Chee Mun Kean, a computer science student in Kuala Lumpur.
Both Fee and Chee recommended that users log out after completing their Hotmail sessions, because intruders can only take advantage of this problem if the account holder's session is still active. Hotmail sessions last two hours unless the user logs out or shuts down the browser.
Fee said Hotmail engineers were examining Chee's description of the problem.
"We will see if there are any appropriate steps that we can take to help minimize user risk," he added.
By Paul Festa
|Book Store | Reviews | Message Boards | FAQ | Contact FEPG | Advertising Rates | Affiliate Programs|
|Back to Top||
Copyright© Cole & Associates 1997-2001.
All Rights Reserved.
The Free Email Providers Guide makes every effort to ensure the accuracy of information presented on this site. However we make no warranty and cannot be responsible for any damages resulting from use of information from this site. Links to other websites are provided as a convenience and the Free Email Providers Guide is not responsible for the content, which is the sole responsibility of the website.