A Danish government official has reported a security hole that could allow unauthorized access to private accounts on Hotmail, the free Web email service. The company confirmed the hole exists and said Friday it would patch it within a day.
The hole allows an unauthorized party to sneak into a valid Hotmail session by circumventing normal authentication measures.
When users log on to Hotmail, special URLs are created as they access their email accounts. The special URLs are easily obtained, and an attacker could use it to access the user's account. But for the hole to be exploited, some luck is needed: The victim must be using Hotmail at the same time and with the same IP address as the attacker.
"In the remote chance that somebody happened to get the same IP address, there is a very remote possibility that that is possible," said Steve Douty, vice president of marketing and sales at Hotmail. "But as of tomorrow that will be completely impossible."
Douty said that Hotmail uses two methods of identifying users: a cookie is planted on the user's machine, and the user's IP address for that session is logged so that future requests can be identified as coming from the same user.
"The change that we're putting into the system is that if the cookie doesn't match - and that is, if you're using a different computer in your office behind a proxy server - then you'll get bounced right away," Douty said.
"One thing to keep in mind is that if (Hotmail's) security is based on checking for multiple IP addresses, then that is very dangerous because it is possible for an attacker to spoof an IP address," said Avi Rubin, AT&T Labs researcher and co-author of The Web Security Sourcebook. "That is, if an attacker knows the IP address of the victim, then the attacker can 'pretend' to come from that IP address as well."
The exploit was discovered by Hotmail user Nikolaj Heinsen of the Ministry of Economic Affairs in Denmark. Heinsen discovered the hack while surfing the Net for security-related information on his network at work. In his travels, he came across information on hacking Hotmail, and decided to try it - and it worked.
What caught his interest in the Hotmail hole was its simplicity.
"Had the 'hack' involved any kind of hacker trickery, I wouldn't have tried it," he said. "I don't believe that any system is 100 percent secure, but I've always thought you had to be a real wizard to break the big ones. Apparently not."
The company said it has received no complaints about malicious use of the "exploit," which Douty likens to "a very elaborate mechanism to recreate the function of the [browser's] Back button."
"Privacy and security are two areas that we've worked very hard at since we launched this service a year and a half ago," said Douty. "And we've got about 12 million customers that are pretty happy with both of those aspects of our service."
