The Web sites let anyone read, send or delete mail from an account simply by typing in a user name. No password was required.
Microsoft
took its Hotmail servers down after learning of the problem from the European press (several of the sites originated in Europe). By late morning, Microsoft said it had plugged the hole and promised that future attacks would be prevented.
Fix underway
With 40 to 50 million users, Hotmail is the largest e-mail service in the world.
A Microsoft spokeswoman said she didn't think people really cared how the security hole was exploited, only that the hole had been fixed to prevent future breaches. She said the hack required a "very advanced knowledge of Web development language."
However, several computer experts said the code that took advantage of the Hotmail hole -- code that's been posted on hacker sites -- was actually quite simple.
Coding is "trivial"
What's more, exploiting the hack to view someone's account doesn't require any computer proficiency -- only a browser and the ability to type in a user name.
"The script is so trivial, I would be inclined to believe that this has been in the wild for a long time," Dyson said.
Code is considered "in the wild" when it's passed among hackers without actually being exploited by users. But apparently some found this code too compelling to resist, so they posted sites that let users spy on other people's accounts.
One of the earliest sites to exploit the bug was registered to Stockholm, Sweden-based Moving Pictures. In an e-mail exchange with ZDNet News, Erik Barkel, the person listed on Network Solutions Inc. as the administrator said: "I got credit for something I didn't do. I didn't code. I did put up a mirror."
After the Hotmail hack site was taken down, the URL registered to Moving Pictures was directing people to a variety of sites, including Microsoft's own security page and a rant about Internet standards and date-related software problems.
Microsoft said it had no immediate plans to notify users that their Hotmail accounts may have been read. Callers to Hotmail's technical support line were greeted with waits as long as 20 minutes. Technical support people were telling users that discarded Hotmail messages would still be in the trash, and documents that had been read would be marked as such.
Wake-up call?
"Basically the consumers are going to have to start asking for better security or Microsoft's not going to see it as a big problem," DeLong said.
He said until users do that, Microsoft isn't going to make security a priority.
"It's just another example of large software companies doing reactive bug fixing rather than proactive bug fixing," he said. "It's very frightening."
See related stories:
Some readers sent messages to ZDNet after the fix had apparently been enabled saying they could still raid people's accounts, but security experts said that's because Microsoft is going from server to server, fixing the problem.
"It's trivial. It's just some HTML code,"
-- Richard Smith, Phar Lap
"It's trivial. It's just some HTML code," said Richard Smith, security expert and president of Phar Lap software, who was instrumental in catching the creator of the Melissa virus.
Computer consultants and security experts hoped the move would be a wake-up call for consumers to demand more secure software.
Huge Hotmail security flaw reported
Hotmail users feeling burned
