In potentially one of the largest security e-mail breaches ever, a Web site may have allowed people access to millions of private Hotmail accounts.
The Hotmail snafu is sure to reignite debate about privacy and security on the Web, as well as direct more criticism toward Microsoft Corp. (Nasdaq:MSFT), which owns Hotmail.
The site allowed any Web user access to people's Hotmail accounts simply by typing in a Hotmail's user name.
Once the name was entered, the Hotmail account and mailbox for that account were easily viewed. Messages, in many cases, could be read or forwarded.
Microsoft took down Hotmail servers for a couple hours Monday morning to fix the glitch. Microsoft said the fix also was designed to prevent future attacks. It's not notifying users that their e-mail may have been read.
But some users say Microsoft has not made a fix -- the vulnerability still exists.
There are between 40 million and 50 million Hotmail users, according to market researchers -- by far the largest e-mail service.
The problem wasn't a small hole that only a technically adept hacker could exploit. With this hole, anyone with access to a short HTML script, already widely circulated, could open Hotmail accounts.
Reporters at Sm@rt Reseller found that Hotmail in-boxes could be viewed, and messages forwarded or deleted -- all by simply putting a user name in the script.
Early details were sketchy, but the problem appeared to be the result of sloppy programming at the front end of the service. Essentially, Hotmail was configured to accept as a valid user ID, anyone's ID forwarded within a specific URL framework. The problem is that if a person knew what that URL framework was, and inserted someone's else ID, then that person could raid that account.
No other Web-based e-mail services were affected by the problem.
In a bit of programming satire, visitors to the site where Hotmail access was offered are now redirected to Microsoft's security area.
Steven J. Vaughan-Nichols and Jason Perlow of Sm@rt Reseller, and Lisa Bowman and John Spooner of ZDNN, contributed to this report.
