Linux Today: Linux News On Internet Time.

SRO: How Hotmail Blew It

Sep 02, 1999, 19:37 (1 Talkback[s])
(Other stories by Steven J. Vaughan-Nichols)

"Analysis: Taking advantage of the Hotmail security hole was as easy as stealing an idling Porsche with the keys in the ignition switch."

"So, what caused the Hotmail security hole? It has nothing to do with a fundamental flaw with Hotmail software, the operating system or the architecture. There's also no evidence that the security vulnerability was a 'backdoor' left in the Hotmail program to enable programmers to sneak peeks at users' mail.

No, the problem exploited... was the result of sloppy CGI coding. By implicitly trusting information that's sent in the above Uniform Resource Locator (URL) data and format and not requiring any further user password check, Hotmail's security door was left wide open."

"...given Hotmail's history of security holes, the ease by which this one could be exploited, and the awe-inspiring scope of just what a huge hole it was, resellers and users cannot be blamed for looking for safer e-mail systems."

Complete Story

Related Stories: