Hotmail hole remains unplugged, security experts say

By Michael Stutz

SAN FRANCISCO (Wired) - Security updates made last month to Microsoft's free e-mail service, Hotmail, may have failed to fix a problem, security experts say. Not only that, but privacy watchdogs fear that the fix might actually help the company analyze their users' Web browsing habits.

``The exploit that's posted on our page, to this day, still works 100 percent,'' said Tom Cervenka, who discovered the security vulnerabilities last month. An exploit is a way of broaching a security system.

Hotmail officials denied both allegations, saying that their system is both secure and private.

Cervenka said that Hotmail is still vulnerable to the ''Attackments'' bug that he discovered and made public Aug. 28. That security problem essentially dupes users into giving out their usernames and passwords by sending a rogue e-mail attachment that fakes a Hotmail login page.

While the problem technically still exists, Hotmail contends that the issue is not a bug with its product but a matter of safe e-mail practices.

``Opening attachments from strangers is a risky proposition using any e-mail system,'' said Laura Norman, a Hotmail product manager. ``That's not a Hotmail-specific issue or even a Web-based e-mail issue.''

But the company did make some changes to its system, including technical adjustments that involved modifying email. In short, Hotmail now tweaks Web addresses contained in the body text of email messages sent through the system. Under the new scheme, the numeric address ``207.82.250.251'' is added to any URL passing through. That address is the numeric equivalent to a Web page at www.hotmail.com.

When clicked, the link opens in a new browser window with a top frame that contains the Hotmail logo and the text, ``You are visiting a site outside of Hotmail. Close this new browser window to return to Hotmail.''

Norman said that the changes are meant to protect Hotmail members from malicious emails that might contain embedded JavaScript, ActiveX, and Java applets. Such an applet might install a ``sniffer'' program on a victim's computer that could record keystrokes, such as passwords.

The company's new procedure scans incoming email messages before the user receives them and filters out any hostile code. Still, an attached document could contain any number of rogue programs that could be used to harm a user's system.

But privacy watchdogs counter that, whether the company realizes it or not, it has set itself up to analyze and record user clickthrough data by redirecting Web traffic through its servers.

``By logging the links it would be rather easy for them to see, for example, if I clicked on a link to apple.com that they should add 'mac user' to my demographic data used to target ads,'' said Web developer Dannie J. Gregoire, whose browser-based Trojan horse demo is similar in principle to Hotmail's recent vulnerabilities.

``This is a move into an extremely dangerous area,'' added Jason Catlett, CEO of Junkbusters, a firm that gives away free software that blocks online marketing messages. ``It's tampering with private communications to insert a surveillance mechanism. Hotmail should take this one back to the drawing board.''

Hotmail's Norman said that the information is used to improve the security of the system and is not tracked or used in any way. ``We aren't logging these clickthroughs,'' she said.

``There's one exception to that, which is within our Web Courier service, where we send emails at a member's request for a partner,'' Norman explained. ``In those cases, the partners requested that information, links embedded in those emails.''

A better way to have done it, Gregoire said, is to use a watermark system, which would be anonymous. ``For example, a watermark identifier-a random word or icon-could be placed in an upper corner of each Hotmail page.''

(Reuters/Wired)