Free E-mail Sites Battle Security Holes | Internet News
IT Management
SHARE
Facebook X Pinterest WhatsApp

Free E-mail Sites Battle Security Holes

Written By
Thor Olavsrud
Thor Olavsrud
May 10, 2000
2 minute read

A number of free e-mail providers were rushing Wednesday to repair a rash of security holes.

Microsoft Corp. Wednesday quickly patched a security hole in its free Web-based e-mail service, Hotmail.

“The fix is up and has been implemented on all of the hotmail servers,” a Microsoft spokesperson said Wednesday afternoon. “To our knowledge, no users were affected. We did disable the Hotmail servers for a short time this morning.”

Bug hunter Bennett Haselton, Webmaster for anti-content filtering advocacy organization Peacefire, discovered the flaw, which could allow a hacker to break into an e-mail account using an e-mail message with an attached HTML file.

“When the user views the attached HTML file, their cookies in the Hotmail.MSN.com domain are intercepted and sent to a hostile site; since the cookies are used for authentification, whoever receives them can then log into Hotmail as that user,” Haselton wrote in his description of the exploit. A full description of the exploit is available here.

The exploit uses a JavaScript Trojan horse to intercept the cookie. Hotmail filters JavaScript in e-mail messages but does not filter it in HTML attachments.

Hotmail, owned by Microsoft Corp. , is often a target for hackers due to its more than 50 million accounts.

Haselton also discovered a separate exploit late Tuesday that could foil other Web-based e-mail sites into handing over passwords through a false but convincing password-entry screen.

Yahoo!, Excite@Home and USA.net were found to be vulnerable to the exploit. Microsoft’s Hotmail — a perennial target due to its more than 50 million accounts — was found not to be vulnerable. Hotmail’s HTML e-mail “filter” was already designed to detect an attack of this nature.

Yahoo! Mail safeguarded users from the exploit rapidly, fixing the security hole in about an hour. Excite@Home and USA.net also implemented fixes not long after the security hole was discovered.

Fully described here, the exploit brings up a window, “Session timeout: Please re-enter your password,” when a user clicks “Reply” or “Delete” after reading a hacker’s message. When the password is re-entered, it is sent to a hostile site. The user sees nothing unusual.
Thor Olavsrud
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information