May 6, 1997 1:45 PM PDT
NetAddress patches email bug
The company that operates NetAddress, USA.Net, said today that the vulnerability affected fewer than one percent of its 680,000 subscribers. Scott Chasin, vice president of technology, said the company fixed the problem this morning after a CNET reporter inquired about the vulnerability yesterday.
NetAddress is one of a growing number of services to offer Net surfers a free email account, supporting its business by displaying advertisements while a user reads email. As with another service, HotMail, NetAddress users access their email with an ordinary Web browser, rather than through a special email client such as Eudora or Exchange.
The vulnerability affected NetAddress users who clicked on hyperlinks on advertisements or embedded in email messages. By clicking on a hyperlink, a user could inadvertently expose a secret Web address for their email account to the Web site to which they were linking. An unscrupulous Webmaster could use the address to log on a private email account to send email in another person's name or modify their password.
Chasin said that the problem was related to changes NetAddress made in the way it authenticates certain users' identities. He stressed that users would only be affected if they had turned off the cookies features of their browsers, and that most of the service's users do not turn the feature off.
Cookies are used by Web sites to track a user's movement through a site for marketing reasons or to make it easier for the user to log on the site.
In order to be affected, users also would have to fail to log out within three hours after first logging on to NetAddress, Chasin added. He said that NetAddress had not receive any complaints about the vulnerability, but, according to a security consultant who notified CNET of the problem yesterday, users would have no way of knowing whether their privacy had been compromised.
Steve Thomas, vice president of operations at Innovative Protections Solutions, said that he was able to obtain the location of a NetAddress email account through his Web server's log files. A NetAdress user had linked to his Web site from an email message, bringing with him the supposedly secret address of his email box, he said.
"In the process of reviewing my referer log, I saw that address," Thomas said. "I entered it into my browser and logged into the user's account."
When a user hyperlinks from one site to another, they typically pass the location of the previous site to the "referer" files of the new site. Normally, that location information doesn't have any security implications, but it can if a user has just been reading their email or accessing bank account information.