No sooner was one catastrophic security flaw closed Monday – one that exposed millions of Hotmail accounts to prying eyes – when another one appeared.
The net result: Hotmail account holders were in danger of having their email messages read – as well as being impersonated in email – until midday Monday.
Also:
Hotmail Fallout: A Mere Trickle
Hotmail Hackers: 'We Did It'
Want Security? Forget Web Mail
Did MS Dig Its Hotmail Hole?- - - - - -
The first breach was closed Monday at around 9 a.m. PDT, when Hotmail restored access to legitimate subscribers.
The second breach – a variation of the first – may have been the result of one Hotmail machine that evidently was not fixed when the others were.
The significance of these security holes is that private Hotmail accounts became available to anyone with a Web browser. Most security vulnerabilities on the Internet require in-depth knowledge of Unix or Windows NT language, technical knowledge that the average Web user does not possess.
The bug appears to have affected every customer of what Microsoft says is "the world's largest provider of free Web-based email."
Between 8:30 and 9 a.m. PDT, Microsoft pulled the plug on large portions of the entire Hotmail site, rendering it unreachable for millions of subscribers. During that period, the only access to Hotmail accounts could be made through illicit means – by those who had access to a simple code that was spread wildly on the Net over the weekend.
That was about 12 hours after the company was notified of the security hole. But users already logged in to their accounts – or someone else's – could continue to send, receive, and delete email.
Around 9:30, sections of Hotmail began to slowly come back online. By that time, people without Hotmail accounts could connect to the site's homepage. Users with accounts configured to remember their password, however, received this unhelpful message: "ERROR: Cannot open UserData file."
As of 10:15 a.m., Microsoft engineers, led by Mike Nichols in Redmond, Washington, had managed to fix that problem, too, and users could log in normally again. Yet there still was no reference to the problem anywhere on either the Hotmail or MSN sites.
A unnamed Microsoft spokeswoman could not offer any explanation for the problem. She said that the company took down the Hotmail servers as soon as the company was notified of the problem by the European press Monday morning.
She said Monday morning that the company had resolved the issue so that future attacks of this type would not be possible. That has not proven to be the case.
The exploit worked this way: Any Web page that contained a short, simple code – visible on most browsers as a type-in form – was able connect to a Hotmail server simply by typing in a user name without requiring a password.
By early Monday, copies of that HTML code were posted on hacking-related Web sites.
The Hotmail exploit apparently took advantage of a bug in the start script that processed a login session between a Web browser and a server.
One site where the problem surfaced was at 2038.com, which Network Solutions shows registered to Moving Pictures, a group based in Sweden. Erik Barkel, the contact associated with that domain, could not be reached for comment.
As of about 8:30 a.m. that site redirected to a Web page promoting a marketing company.
The managers of that company said they had nothing to do with the redirect. "It's just a point[er] put there by a person who's trying make a joke," said Anders Herlin, business development manager at Abel and Baker. "We haven't had the slightest idea why."
"All I know is we do not want to be associated with it," said Herlin. "We are a fairly new company. Maybe someone wanted to cause us harm."
But the code quickly spread to dozens, if not hundreds of sites.
A Swedish newspaper, Expressen , reported the bug in its Monday editions. The bug let anyone log into a Hotmail account without typing a password.
"We know nothing about [the individual who tipped us]. It was anonymous," said Christian Carrwik, one of two Expressen reporters who broke the news. "It has been circulating for a couple of days."
Expressen said Microsoft was alerted very early Sunday morning.
This is only the most recent Microsoft security gaffe.
Redmond admitted earlier this month that its MSN Messenger instant messaging client can accidentally disclose Hotmail account passwords. Even if the password is supposedly deleted from a computer, someone else could still view it if they knew the proper keystrokes.
Last week, Wired News reported a bug in tens of millions of Microsoft Windows computers that lets an attacker take control of a PC by sending an email message.
Lindsey Arent contributed to this report.
