Freemail VulnerabilitiesIf you have an account on Hotmail, Yahoo!, or Excite, it's vulnerable to hackers.
By Ira Winkler February 10, 1999
Free email services are a common feature on portal sites, but some of them have serious security vulnerabilities-- specifically, Yahoo! Mail, Excite Mail, and Hotmail.
First, these three services allow an unlimited number of log-on attempts. This means that malicious Internet users can perform password guessing and "brute force" password attacks against accounts on those systems. (After three failed log-in attempts, Yahoo! does ask the supposed user if they require help. However, additional log-in attempts are not prevented.)
Second, the user is not notified when a number of failed log-in attempts have occurred. If a password attack had been attempted against a user account, the user has no way of knowing.
These vulnerabilities affect a lot of Internet surfers. Free email services are extremely popular as a Web-based alternative to regular Internet service provider accounts. The ability to access mail from any Web browser and a certain level of Internet anonymity are great advantages that these accounts offer. Security, however, is a distinct disadvantage.
The problems probably are not limited to Yahoo!, Excite, and Hotmail. To test whether a particular site is vulnerable to a brute-force attack, simply try entering incorrect passwords. If the system allows more than ten invalid password entries without locking out the account, then it probably allows an unlimited number of password-cracking attempts.
Password crackers attempt to obtain an account's password by exhaustively guessing word and number combinations. For example, an attacker may use a dictionary as the source of words. More sophisticated password crackers will use word-and-number combinations, such as star99. The most time-consuming technique is to try every possible combination of letters, numbers, and special characters. Such attacks can easily be automated. Password cracking is an extremely common hacker technique.
To prevent brute-force attacks, a security function should lock an account after an excessive number of failed log-in attempts, typically three to five. Once an account is locked, the user should be emailed about the failed log-in attempts and told to contact the system administrators, who will verify the user's identity. While this would cause a temporary interruption of service, it would prevent the account from being compromised. This is a basic security practice that is built into most computer operating systems.
Admittedly, these vulnerabilities are extremely basic. I was not expecting them to exist on all the systems I examined. I take their presence as an indication that security was not a crucial step in designing these systems.
While the sites all state that users should choose their passwords well, they do not account for attacks that can compromise even the best passwords. This leaves users, who number in the thousands or even hundreds of thousands (industry numbers measure accounts, not the number of users), vulnerable to someone with even trivial programming and hacking skills.
While no attacks have been reported, it is likely that they were attempted. It is also a given that they will be attempted and successful unless action is taken.
I contacted Yahoo! and Excite press liaisons about this issue and received no official reply. Hotmail could not be reached by telephone, and email messages to its technical support groups were not returned.
Home | Shows | Interact | Search | Get ZDTV | About Us | Site Help | News | ZDNet
Big Thinkers | Call for Help | Computer Shopper | CyberCrime | Digital Avenue | Fresh Gear | GameSpot TV | Internet Tonight | The Money Machine | The Screen Savers | Silicon Spin | ZDTV News | ZDTV Radio
Copyright © 1997-99 Ziff-Davis TV Inc. All Rights Reserved.
Use of ZDTV.com is subject to certain Terms and Conditions. We respect your privacy.