A Microsoft programming error is the most likely explanation for a Hotmail glitch that deposited 10 emails dispatched by other people into Computerworld reporter David Watson’s sent folder.
That’s the view of Auckland security specialist Arjen De Landgraaf, who runs an alert service warning of computer security flaws.
But Microsoft, which owns Hotmail, has failed to come up with a definite cause three weeks after the problem was reported in Computerworld (see Trustworthy computing? Not Hotmail). Repeated attempts to get an answer from the software giant — including from headquarters in Redmond — have drawn a blank.
“It could have been one of 50 different things, but it is very likely that the problem was something in Hotmail itself,” according to de Landgraaf. “What I think happened is that Microsoft made a programming error.”
De Landgraaf believes the problem has been fixed, as December 9 was the last time an email, written by someone else and addressed to a legitimate email address was somehow routed through Watson’s account, resulting in him being named as the sender in the header section.
Among the emails was one containing details of the sender’s bank accounts and another relating to the sender’s ACC claim.
The exact process by which the emails got into Watson’s sent messages box is unclear, but de Landgraaf says a small error can affect a large number of users, given the size of Hotmail, which has more than 100 million users.
“As an example, if a pointer — the bit of code in a program that points to your area — is 10 bytes out, it can have a big effect.”
The MSN Hotmail team’s attempts to explain the occurrence have focused on the fact that Watson revealed his password to Computerworld editor Anthony Doesburg, so that Doesburg could access a work-related email coming through Watson’s account.
But De Landgraaf doesn’t believe that could have caused the situation described above. “It’s got nothing to do with it.”
Another possible explanation offered by the MSN Hotmail team is that “many ISPs, including Australia and New Zealand, cache their web pages for faster downloads.
“Because of this, users will sometimes be served pages which are not their own. This is not a security issue of MSN Hotmail.
“MSN structures the URLs as such that if a user is served a page they shouldn’t be, they still can’t click around, but David could be viewing the wrong pages as well.”