Millions of users of Microsoft Corp.'s free Hotmail e-mail service send out messages every day that bear the service's ubiquitous tag: "Get Your Private, Free Email at http://www.hotmail.com."
Yesterday, it wasn't exactly as described.
Microsoft had to shut down the Hotmail service for several hours yesterday to fix a major security hole: Malicious hackers created World Wide Web sites that allowed anyone unfettered access to any Hotmail account. Visitors to the sites could assume the identity of any Hotmail user merely by knowing the user's sign-on, gaining power to read private e-mail and send out e-mail under the user's name. Password protection went out the window.
"It's a huge thing," said Alberto Gaitan, an Arlington computer programmer who heard of the security flaw early Monday morning and discovered to his horror that the sites actually worked. "I went to my account and accessed it through this Web page without having to enter a password. So I knew that it was true. I went through and deleted all my mail."
It remained unclear last night who had launched the attack or how many people's e-mail accounts were illicitly accessed. At least one of the Web sites offering the access was located in Sweden.
Hotmail, a company Microsoft acquired in 1997, was an early entrant into free e-mail services. Users don't need to buy or download special software, because mail is handled completely through Web browswers such as Netscape Navigator or Microsoft's Internet Explorer. Hotmail is free because the company charges advertisers whose messages are shown to the enormous pool of customers.
Microsoft claims there are 40 million users, but in fact the number of actual users is far lower, as many people have multiple accounts, picking them up and discarding them on the fly.
The problem was reported yesterday by a Swedish publication, Expressen. Microsoft was notified of the problem early Monday morning, and several hours later shut down access to Hotmail accounts for a few hours while it fixed the problem, company spokeswoman Kimberly Bouic said.
The hackers did not actually break into Microsoft's mail computers and change features there, Bouic said; instead, they took advantage of a flaw in the software running the mail service--"a formerly unknown issue that the hacker exploited."
That allowed a half-dozen lines of computer programming code to lay open every user account on Hotmail.
"It's pretty cute," said Peter Neumann, a computer security expert with the research firm SRI International. But Neumann argued that Hotmail's woes simply show deep security problems that exist throughout the Internet. "This is just one more instance of the fact that the fundamental infrastructure is full of holes. . . . Things aren't designed to be secure, so how can you expect them to be secure?"
Microsoft, Neumann said, is not necessarily less security-conscious than other companies, but the software behemoth's position in the market means that it provides more targets for hacking, and any bugs get more attention than those at lesser companies might. "There are a lot of fleas on the 500-pound gorilla," Neumann said.
Anti-Microsoft sentiment also had a role to play in the new attack, speculated Mark Rasch, a former federal prosecutor now with Global Integrity Corp., a Reston computer security company. "Microsoft is inherently a target, because it's Microsoft," Rasch said.
Rasch said that the incident underscores the risks of online life as "people are spending more and more of their private lives and their business lives online." Web-based applications such as personal calendars, contact lists and mail are increasingly popular because they allow users to reach their data from multiple computers and locations, but dependence on someone else to hold such information is inherently risky, Rasch said.
"It's not just a security vulnerability but also a privacy vulnerability," he said. The problems underscore the need for consumers to use encryption products, Rasch said, adding: "If you want to have your calendar private, keep it in your pocket."
By late afternoon yesterday, the anonymous creator of a Web page that had copied, or "mirrored," the illicit access sites posted a message as spare as a haiku:
the show is over.
the mirror is down.
i didn't code the exploit.
i did host the mirror.
It ended with this: "btw [by the way], do you trust microsoft?"
Staff writer Michael Musgrove contributed to this report.