Bug bites free email services at MailCity, iVillage

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2036086.html?tag=st.ne.1002.thed.ni

By Evan Hansen
Staff Writer, CNET News.com
June 7, 2000, 5:15 p.m. PT

In the latest security breach besetting free Web-based email services,
Lycos' WhoWhere said it had fixed a problem this week affecting
millions of accounts, including those belonging to MailCity and
iVillage members.

WhoWhere representatives would not disclose how many people have
registered for the company's MailCity service, nor would they estimate
how many other accounts may have been at risk or how long the bug
might have existed. Representatives for women's portal iVillage said
the company has 4.9 million registered subscribers for its free email
service, which it has outsourced to WhoWhere for about two years.

WhoWhere spokesman Brian Degonia confirmed the service had a problem
but said the company received no complaints about security breaches
until it was contacted Monday by CNET News.com. He said the problem
was fixed by Monday night.

The breach, which allowed intruders to peruse email and send messages
as though accounts were their own, serves as the latest reminder of
pervasive security problems with free Web-based email services,
security experts said.

The problem was first noticed by an iVillage customer last week. Alan
Redpath, whose online moniker is "Geordie Al," said he noticed that
the company's free email service allows Web sites to collect data that
lets intruders enter password-protected accounts.

Access to the accounts was gained through a program called Site Meter,
which some Web sites use to collect traffic data. If a person visited
a Web page through a link embedded in an email received at his or her
iVillage or MailCity account, the information recorded in Site Meter's
referral log might have been used to take over the account.

Security issues with Web site traffic counters are not new.
Microsoft's free email service, Hotmail, fixed a bug allowing similar
unauthorized access more than a year ago.

Security consultant Richard Smith, who has tracked down numerous
online security and privacy bugs, said the problem stemmed from
WhoWhere's verification procedures, which check a person's login and
password information.

"This kind of thing is normally prevented by a cookie that checks to
see if the person is logging in from the right computer," he said.
"Instead, WhoWhere puts the login information in the (Web address),"
where it can be captured by an outsider.

A cookie is an electronic tag placed on a computer's hard drive to
facilitate Web browsing activities.

Degonia confirmed that the service does not use cookie authentication
and includes login and password information in Web addresses, or URLs.
But he said the service uses other security measures to address the
authentication problem. He explained that the company uses proxy
servers to keep session information such as login names and passwords
out of the wrong hands.

Smith said today that WhoWhere had fixed the problem, but he offered a
caveat.

"They need to figure out every possible way a leak can happen," he
said. "It looks like they found one this week. But that doesn't mean
they won't find more in the future."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".