---

CNET News.com: Hotmail hole raises larger security issues

“A security hole discovered yesterday in Microsoft’s MSN Hotmail
calls into question the free email service’s practice of allowing
users to log on from any Web page, security experts said.”

“While Netscape, Yahoo, and other free email services direct
users to specific login Web sites, Hotmail allows users to access
their accounts from any Web page.
A simple login HTML form or
Javascript, which appears on the Web page as a box for the username
and password, is all that is needed. Many Web sites offer this
service.”

” ‘I think [login programs are] a big mistake, said Richard
Smith, president of Cambridge-based Phar Lap Software. ‘If you log
in from somebody else’s Web page, they can equally bug the message
to grab your username and password.’ “

“The only solution, said security experts, is to restrict login
access to a central page.”

Complete
Story