After a long day of updating hundreds of servers, Microsoft representatives believe that a flaw in Hotmail allowing anyone to access users' e-mail accounts has been fixed, a company spokesperson said yesterday.
The company was alerted to a flaw that allowed a Swedish-hosted Internet site to access any user's Hotmail account without a password, and believed it had the issue resolved.
However, tests by International Data Group showed that a slight variation on the original exploit still allowed access to accounts. The company believes it has now updated all its servers appropriately and is now performing a closer inspection of each machine.
"We've been updating the Hotmail servers throughout the morning. There was one that hadn't yet been updated, but it has now," said a Microsoft spokesperson. "We now have testers manually double-checking each server to make sure they are updated. The bottom line is it should be fixed."
The attack is particularly devastating because of the millions of potentially vulnerable accounts and how simple it is to exploit the hole. The exploit does not require any hacking skills, only the name of a user account and the ability to cut and paste text.
The flaw, which was uncovered on Monday, was fixed on certain servers. But by varying the server number entered, IDG's test centre representatives were still able to access Hotmail e-mail accounts without a password. The representatives have confirmed that the flaw was no longer accessible yesterday afternoon.
The flaw first surfaced when a Swedish Web site posted a Web page that allowed users to input the name of any valid Hotmail user and then access the e-mail account of that user, giving them the ability to read and send mail from an account.
Microsoft was contacted about the bug by European users, and shut down the service until the issue was supposedly rectified, according to a company spokesperson.
A technical information source, Slashdot.org, also announced that Hotmail e-mail accounts were vulnerable to the simple security breach.
The exploit appears not to be a "crack" so much as a backdoor exploit of the URL naming conventions of Hotmail accounts. By using a certain URL combination with a specific parameter set to indicate no password, a re-direct occurs to Hotmail e-mail accounts.
As the bug is part of the company's servers, Hotmail users need not worry about downloading a fix, according to Microsoft. The company also could not confirm if the bug was made possible by a new log-in system as part of the site.
"There is no consumer action required. They don't have to download a fix or anything, it's all resolved on the Microsoft side," the Microsoft spokesperson said. "I don't know the connection, if any [to the new log-in system], we just acted quickly to protect users."
Hotmail, which was acquired by Microsoft last year, targets its free e-mail accounts at consumers, but many corporate users have used Hotmail or other free e-mail services as a backup to corporate messaging systems. It has approximately 40 million accounts.