However, their efforts may be for naught, according to one industry expert, who says the new security measures aren't what they're cracked up to be. Canadian Web programmer Tom Cervenka on Monday demonstrated on his Web site, because-we-can.com, how a simple e-mail message containing a few lines of JavaScript code could fool a user into revealing his password.
The roster of Web-mail providers who claim they have plugged the security hole include Microsoft Corp.'s Hotmail; Yahoo! Mail, from Yahoo! Inc.; iName, a division of GlobeComm Inc.; and USA.net Inc.
No trouble evading defenses
Cervenka said, however, he has been able to slip past the guards at Hotmail and Yahoo! Mail without too much trouble.
"Yahoo! Mail said they already filter out JavaScript," he said. "But with a little modification, the current exploit can sneak in the same way as it does with Hotmail."
 |
| Are you getting what you pay for with "Free-mail"? Add your comments to the bottom of this page. |
|
|
 |
The trick, which Cervenka calls 'Hot' Mail, alters the Web-based account's user interface with JavaScript. The next time the user clicks on a link, a fake timeout message appears, requesting the username and password.
After the user returns to the normal e-mail interface, the password is then sent to a rogue user.
Cervenka originally tested the exploit on Hotmail but said it could be easily modified to work on any Web-based e-mail service that reads JavaScript in incoming e-mail messages.
E-mail providers spurred to action
As of Wednesday afternoon, some of the largest Web-mail providers said they were taking actions to close the loophole.
USA.net, which provides e-mail services to such sites as AmExMail and Netcenter, said it has instituted filters to block all JavaScript from incoming messages.
Hotmail has also begun blocking JavaScript as a "temporary fix," but Cervenka said he was able to easily work around the filter by changing the HTML tags that identify JavaScript.
Danny Winokur, USA.net vice president of business development, responded that his company is using a variety of methods to screen for JavaScript, and that the filters weren't fooled by Cervenka's workaround.
"We believe we have plugged up all the holes," he said.
Plugged the holes?
Winokur said USA.net is continuing to fine-tune its filters to block all JavaScript, but hopes to eventually allow the programming code's functionality without the security risk.
Hotmail has said it is working toward a similar goal.
iName and Yahoo! Mail both said they have always filtered JavaScript out of incoming messages because of the possible security risk.
"From the launch of Yahoo! Mail, we have had filters that modify incoming JavaScript to make it inoperable. We would love to have JavaScripting in messages, but today it poses too much of a security risk," said Katie Burke, senior producer of Yahoo! Mail. "We hope that changes in the future."
iName provides e-mail to sites such as Lycos, Pathfinder and AltaVista.
E-mail provider WhoWhere? Inc. did not respond to media queries Tuesday and Wednesday.
Booming business at risk?
Web-based e-mail has become a popular add-on to such popular sites as Yahoo!, Excite, Lycos, Netcenter and MSN.com, drawing millions of users who want multiple e-mail accounts or who don't have a dial-up service provider of their own.
Hotmail alone says it serves 22 million accounts, with 100,000 new ones created daily.
'Hot' Mail is a variant on a trick called a "Spartan horse" by its creator.
The Spartan horse was programmed as an exercise by Dannie Gregoire, proprietor of Louisville, Ky.-based Internet service provider Iglou. It can embedded into any Web page, and uses JavaScript to imitate Windows' Internet logon dialog box.
Novice users could think their computer had disconnected from the Internet, and enter the username and password for logging on to their service provider. Like the Hotmail exploit, the Spartan horse could e-mail the information to a malicious user.
