SRO: How Hotmail Blew It

“Analysis: Taking advantage of the Hotmail security hole was as
easy as stealing an idling Porsche with the keys in the ignition

“So, what caused the Hotmail security hole? It has nothing to do
with a fundamental flaw with Hotmail software, the operating system
or the architecture. There’s also no evidence that the security
vulnerability was a ‘backdoor’ left in the Hotmail program to
enable programmers to sneak peeks at users’ mail.

No, the problem exploited… was the result of sloppy CGI
coding. By implicitly trusting information that’s sent in the

above Uniform Resource Locator (URL) data and
and not requiring any further user password check,
Hotmail’s security door was left wide open.”

“…given Hotmail’s history of security holes, the ease by which
this one could be exploited, and the awe-inspiring scope of just
what a huge hole it was, resellers and users cannot be blamed for
looking for safer e-mail systems.”