Advertisment

Microsoft claims Hotmail hole is patched

author-image
CIOL Bureau
New Update

BANGALORE, September 1: Microsoft has said that it has patched the

security hole in its MSN Hotmail free email service that let Net surfers

access any Hotmail account with just the email address.

Advertisment

According to CNET’s News.com, security experts had said that where

there are two password holes, there are likely more, and they criticized

Microsoft's decision to quickly say the breach had been fixed.

Microsoft initially pulled Hotmail offline for about two hours early on

Tuesday after being alerted that two web sites, one in the United Kingdom

and one in Sweden, allowed anyone to access any Hotmail account without a

password. Would-be Hotmail pirates needed only know a username to get in.

The hackers had taken advantage of a weakness in the login script for a

particular Hotmail server. The problem reappeared because Microsoft failed

to fix another server, said Deanna Sanford, MSN lead product marketing

manager, reported News.com.

Advertisment

According to the news site, a Microsoft spokesperson initially claimed

hackers accessed the "Hotmail servers through specific knowledge of

advanced Web development languages." But security experts disagreed.

"This obviously doesn't require detailed knowledge of Web

development languages to exploit," said Ian Goldberg, chief scientist

at Zero-Knowledge Systems. "Basically, this URL is like walking up to

a guard and saying, 'I'm so-and-so. That other guard over there already

checked my ID,' and having him wave you in."

The amount of access would depend on the account configuration. In some

cases snoopers can only see a list of messages, security experts said. In

other cases, they can take complete control of the account.

Following the discovery of the second security hole, Microsoft

acknowledged this was a Hotmail server problem but still laid the blame on

hackers. "It was a hacker or group of hackers that took advantage of

that and exposed that," Sanford said.

tech-news