- Related Stories
-
Hotmail flaw exposes passwords
August 24, 1998 -
Masterminding the mail
August 12, 1998 -
Email bug found in Eudora
August 7, 1998 -
Email security flaw discovered
July 28, 1998
Powered by Bigfoot, BellSouth Web Mail this week discovered a number of security bugs. The first group of these consist of password-stealing Trojan horses, or malicious exploits that insinuate themselves invisibly into the user experience. They are the same variety that plagued Microsoft's Hotmail and dozens of other freemailers this week.
The other type of bug BellSouth took care of this morning had to do with the way Bigfoot's Webmail technology tracks users' identities as they go from page to page. Bigfoot tracks its users with what is known as a "referer page," which includes user names and encrypted passwords.
The security problem resulted from the fact that the URL for these pages was showing up on third-party server logs of sites that users visited directly from their BellSouth Web Mail accounts. If the administrator for that third-party server cut that URL from the server log and pasted it into a browser window within the time limits that Webmail services normally impose on sessions, that administrator would have full access to the mail account.
Bigfoot patched this second bug by implementing a system of identifying users not only by name and password, but also by the Internet protocol address of the computer they use to log on for a given session. By checking for the IP address, the system prevents a third-party computer (which has its own distinct IP address) from accessing the account.
"Before today we didn't define the user from a physical location," said Monty Faidley, business development manager for Bigfoot. "Now, by specifiying the user's location, by checking the user's IP address, we have fixed the bug."
Faidley stressed that no incidents of malicious activity involving either type of security hole had been reported.
BellSouth and Bigfoot became aware of the problem after bug reports were posted on the Internet. One such report was posted Tuesday to "bugtraq@netspace.org" by Leonid Knyshov, a consultant with Crashproof Solutions.
BellSouth is the only company that licenses Bigfoot's Web mail technology, according to Bigfoot. Bigfoot is in negotiations with other potential partners.
