Forwarded From: Aleph One <aleph1@dfw.net>
http://www.news.com/News/Item/0,4,23710,00.html?st.ne.fd.mdh
Hotmail, Excite have privacy hole
By Courtney Macavinta
Staff Writer, CNET NEWS.COM
June 29, 1998, 7:30 p.m. PT
The free email services by Microsoft's Hotmail and Excite
are unwittingly revealing their users' account names to other Web
sites--giving spammers precious private data.
The addresses
are exposed when
Hotmail and Excite email users receive an email message containing a
link to a Web site, CNET NEWS.COM has learned. When these Hotmail or
Excite users click on the link, the Web site's "referral logs" record
their email addresses.
By itself, this information may not mean much, and a Web site operator
would have to plow through the site's daily server logs to harvest
Hotmail and Excite email account names.
But to a direct marketer--such as the Net's notorious senders of
unsolicited email--this information can be invaluable. The data could
help unsolicited bulk emailers identify specific users of the free
email services--helping spammers fine-tune their one-to-one marketing
tactics and track the outcomes of their sales pitches.
When alerted that its referral headers were revealing customers' email
addresses, a Hotmail spokeswoman couldn't immediately confirm the
existence of the hole, but said the company would look into matter.
An Excite executive confirmed that the hole existed, but said he
doubted it affected many of the service's users in a negative way.
Still, he told NEWS.COM the firm would quickly work to patch the hole.
"We acknowledge this as an issue. We don't think it is a big issue,"
said Adam Hertz, vice president of development at Excite.
"It's conceivable that it would enable a spammer," he added. "We will
remedy the situation by removing the user name from the referral log.
We want our users to have the most spam-free environment we can create
for them."
The Hotmail hole was initially discovered by Jason Catlett, founder of
Junkbusters, a site that offers tools to help people eliminate
junk email and protect their online privacy. Further investigation of
other free Web-based email services found that Excite is leaking its
users' email addresses to other Web sites.
Discovery of the hole is an ironic twist for the Hotmail because it
has been diligent about canning spam. The company has won lawsuits
against bulk emailers for abusing its service, and just today the
company endorsed Rep. Chris Smith's (R-New Jersey) Netizens
Protection Act to completely outlaw spam.
For Excite, this is the second security hole discovered in its
increasingly personalized portal. Last month, it was uncovered that
when shared computer users left their Excite start pages to travel to
other parts of the Net, the addresses of their personalized pages also
were recorded in server logs, giving unauthorized third parties access
to a person's stock portfolio, news preferences, birth date, marital
status, email address, and other details.
Hertz said this problem has not yet been fixed.
In the case of Hotmail, its numerical IP address and the user's name
is contained in a site's "referral" log. With Excite,
"mail.mailexcite.com" appears in the string along with the user's
account name. These logs tell Web sites where their traffic is coming
from--which explains why the hole is found in free Web-based email
accounts.
"The most obvious danger here is that spammers can use it to find out
exactly who clicks through to the sites that they spam for," Catlett
said.
"But it could also be used to scavenge email addresses from a site's
server logs," he added. "There's no practical way for people who have
been exposed in this way to go back and remove their addresses from
those logs, even if they could remember where they have been."
Spammers, who often send get-rich quick offers or advertisements for
pornography, could monitor Hotmail and Excite recipients to see if
these email users bit the bait by going to a site pitched in a spam
message. In the case of adult entertainment sites, for example, simply
delivering traffic can be a lucrative venture. Spammers and other Web
site owners often are paid for each visitor they supply to an adult
content site.
These marketers also could use this unique information to send people
more spam about topics or products in which they have shown interest.
This unique data also could help determine whether it is true that
"email marketing works," as many spam messages assert these days.
Overall, this type of unsolicited marketing annoys most people, which
is evident by the public and regulatory backlash against spam.
"If [the privacy hole] is a reality [and is exploited], it's an
unfortunate side effect of the overall problem of spam," the Hotmail
spokeswoman said. "And efforts like the Smith bill will hopefully
diminish the larger problem of unsolicited email."
Using his server logs, Catlett launched a tool today that lets any Net
user confirm whether his or her Web-based email account information is
revealed when they link to a site address from an email message .
He said Hotmail and Excite users should consider the offline
implications of their email addresses being passed to third parties in
this fashion. Once unique Net users are being tracked this way, he
said, it is possible for a marketer to try and match their email
address to a postal address or to generate banner ads based on their
proven interests every time they visit a site.
Catlett said the problem could be eliminated if Hotmail and Excite
changed the way they present referral information by hiding certain
data so that it doesn't reveal the email addresses.
Of course, any Web site that sends email to Hotmail and Excite users
could exploit this information. But based on political pressure
and regulatory threats, many of the Net's most popular sites are
starting to adopt privacy policies that state they will not track
visitors based on their unique identities or that if they do this,
they will not share the data with third parties.
For example, the more than 50 companies that make up the new
Online Privacy Alliance have promised to let online consumers
choose how their personal information may be used (including a choice
to opt out), and to take measures to prevent the misuse of personal
information when given to third parties. Members of the alliance
include Microsoft, America Online, IBM, and
Hewlett-Packard.
Still, these plans were criticized at a Commerce Department summit
last week for lacking clear enforcement mechanisms.
By passing account users' names on to Web sites, Microsoft's Hotmail
and Excite may be in violation of their privacy policies.
Hotmail states that it will share member information in aggregate
form, but that it will not disclose a member's name, mailing address,
email address, account, and phone number without permission.
Excite, which is a member of Truste, could have covered its
liability for the apparent breach because it states that it will never
"willfully" disclose information about its customers to any third
party without permission.
Hertz said the hole was not a breach of Excite's policy.
"We didn't know about this until today," he said. "I would actually
dispute that it's a violation of our privacy policy, but the potential
for nuisance is there."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Jun 30 12:11:09 1998