NextCard Internet Visa - Apply Now

ZDTVHomeShowsInteractSearchAbout UsSite HelpNewsZDNet

Ira Winkler's Bio


Freemail Vulnerabilities

If you have an account on Hotmail, Yahoo!, or Excite, it's vulnerable to hackers.
By Ira Winkler  February 10, 1999

Free email services are a common feature on portal sites, but some of them have serious security vulnerabilities-- specifically, Yahoo! Mail, Excite Mail, and Hotmail.

First, these three services allow an unlimited number of log-on attempts. This means that malicious Internet users can perform password guessing and "brute force" password attacks against accounts on those systems. (After three failed log-in attempts, Yahoo! does ask the supposed user if they require help. However, additional log-in attempts are not prevented.)

Second, the user is not notified when a number of failed log-in attempts have occurred. If a password attack had been attempted against a user account, the user has no way of knowing.

These vulnerabilities affect a lot of Internet surfers. Free email services are extremely popular as a Web-based alternative to regular Internet service provider accounts. The ability to access mail from any Web browser and a certain level of Internet anonymity are great advantages that these accounts offer. Security, however, is a distinct disadvantage.

The problems probably are not limited to Yahoo!, Excite, and Hotmail. To test whether a particular site is vulnerable to a brute-force attack, simply try entering incorrect passwords. If the system allows more than ten invalid password entries without locking out the account, then it probably allows an unlimited number of password-cracking attempts.

Password crackers attempt to obtain an account's password by exhaustively guessing word and number combinations. For example, an attacker may use a dictionary as the source of words. More sophisticated password crackers will use word-and-number combinations, such as star99. The most time-consuming technique is to try every possible combination of letters, numbers, and special characters. Such attacks can easily be automated. Password cracking is an extremely common hacker technique.

To prevent brute-force attacks, a security function should lock an account after an excessive number of failed log-in attempts, typically three to five. Once an account is locked, the user should be emailed about the failed log-in attempts and told to contact the system administrators, who will verify the user's identity. While this would cause a temporary interruption of service, it would prevent the account from being compromised. This is a basic security practice that is built into most computer operating systems.

Admittedly, these vulnerabilities are extremely basic. I was not expecting them to exist on all the systems I examined. I take their presence as an indication that security was not a crucial step in designing these systems.

While the sites all state that users should choose their passwords well, they do not account for attacks that can compromise even the best passwords. This leaves users, who number in the thousands or even hundreds of thousands (industry numbers measure accounts, not the number of users), vulnerable to someone with even trivial programming and hacking skills.

While no attacks have been reported, it is likely that they were attempted. It is also a given that they will be attempted and successful unless action is taken.

I contacted Yahoo! and Excite press liaisons about this issue and received no official reply. Hotmail could not be reached by telephone, and email messages to its technical support groups were not returned.

· What You Can Do
· Picking a Good Password

also on
· Home and Computer Security
· Security's Success
· Java Security
· Talk Back on Network Security
· Secure Access
· Business Security Tips
· Internet Explorer Security Tips
· Java Security Solutions
· Could you please go over the security issues and security settings for Netscape and Internet Explorer? Can the people or the computers at websites I connect to see or change the files on my hard drive?

zdnet links
· ZDNN: Freemail bug steals passwords

sponsored links
· Buy books on PC system at
· Click here to bid on PC system-related merchandise at eBay
· Make your next purchase with a NextCard Internet Visa. Click here!

past selections

Home | Shows | Interact | Search | Get ZDTV | About Us | Site Help | News | ZDNet

Big Thinkers | Call for Help | Computer Shopper | CyberCrime | Digital Avenue | Fresh Gear | GameSpot TV | Internet Tonight | The Money Machine | The Screen Savers | Silicon Spin | ZDTV News | ZDTV Radio
Copyright © 1997-99 Ziff-Davis TV Inc. All Rights Reserved.
Use of is subject to certain Terms and Conditions. We respect your privacy.


Virus Watch

Safety Tips


chaos theory promo

spy files promo