BANGALORE, September 1: Microsoft has said that it has patched the
security hole in its MSN Hotmail free email service that let Net surfers
access any Hotmail account with just the email address.
According to CNET’s News.com, security experts had said that where
there are two password holes, there are likely more, and they criticized
Microsoft's decision to quickly say the breach had been fixed.
Microsoft initially pulled Hotmail offline for about two hours early on
Tuesday after being alerted that two web sites, one in the United Kingdom
and one in Sweden, allowed anyone to access any Hotmail account without a
password. Would-be Hotmail pirates needed only know a username to get in.
The hackers had taken advantage of a weakness in the login script for a
particular Hotmail server. The problem reappeared because Microsoft failed
to fix another server, said Deanna Sanford, MSN lead product marketing
manager, reported News.com.
According to the news site, a Microsoft spokesperson initially claimed
hackers accessed the "Hotmail servers through specific knowledge of
advanced Web development languages." But security experts disagreed.
"This obviously doesn't require detailed knowledge of Web
development languages to exploit," said Ian Goldberg, chief scientist
at Zero-Knowledge Systems. "Basically, this URL is like walking up to
a guard and saying, 'I'm so-and-so. That other guard over there already
checked my ID,' and having him wave you in."
The amount of access would depend on the account configuration. In some
cases snoopers can only see a list of messages, security experts said. In
other cases, they can take complete control of the account.
Following the discovery of the second security hole, Microsoft
acknowledged this was a Hotmail server problem but still laid the blame on
hackers. "It was a hacker or group of hackers that took advantage of
that and exposed that," Sanford said.