Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

WebTV hole leaves users exposed

From: mea culpa <jericho () DIMENSIONAL COM>
Date: Wed, 15 Sep 1999 20:57:15 -0600
http://www.zdnet.com/zdnn/stories/news/0,4586,2334232,00.html

WebTV hole leaves users exposed

Security flaw left WebTV users vulnerable to e-mail bombing. Microsoft
says the problem is solved.

By Lisa M. Bowman, ZDNN
September 14, 1999 6:21 PM PT [INLINE]

The account information of some WebTV customers could have ended up in the
wrong hands, as a result of a security flaw in the set top box's software.

Microsoft Corp. (Nasdaq:MSFT), which owns WebTV, said Tuesday it has taken
care of the flaw, which made it possible for malicious hackers to tinker
with WebTV customers' accounts.

The problem occurred when an e-mail message sent to a WebTV user's mailbox
was bounced back -- WebTV accounts can only hold about 150 messages and
bounce back incoming e-mail messages when they are full. If the WebTV user
had the spam filter activated, then the returned message would divulge the
user's ID numbers to the sender -- in addition to the reason the e-mail
was deflected.

As a result, those who knew about the flaw could gather a WebTV customer's
account information by e-mail bombing the account -- without the customer
ever knowing about the invasion.

Net4TV duplicated flaw The glitch was first reported by Net4TV Voice, a
publication of the interactive television consulting firm Iacta Inc.
Net4TV Voice publisher Laura Buddine said some users notified her of the
breach last week. In addition, she came across it the flaw when some
messages on the Net4TV mailing list were returned containing the user's
account information. Eventually, she duplicated the problem.

Microsoft said it would be difficult for hackers to alter accounts once
they had the IDs because they also would have to trick the WebTV user into
issuing certain commands.

The security breach appears to be an iteration of a flaw that surfaced
last November, when people began noticing that user ID numbers showed up
in e-mails that had bounced back from WebTV accounts.

The glitch became a system-wide problem a few weeks ago, when WebTV
installed a new automatic spam filter, which is activated by default.
After it discovered the flaw, Net4TV was urging people to turn off the
spam filter.

ISN is sponsored by Security-Focus.COM
Previous By Date Next
Previous By Thread Next

Current thread: