[ISN] Hotmail, Excite have privacy hole

From: mea culpa (jerichoat_private)
Date: Mon Jun 29 1998 - 22:56:33 PDT

  • Next message: mea culpa: "[ISN] Re: A plausible argument why the ITAR are not valid."

    Forwarded From: Aleph One <aleph1at_private>
    
    http://www.news.com/News/Item/0,4,23710,00.html?st.ne.fd.mdh
    
       Hotmail, Excite have privacy hole
       By Courtney Macavinta
       Staff Writer, CNET NEWS.COM
       June 29, 1998, 7:30 p.m. PT
       
       The free email services by Microsoft's Hotmail and Excite
       are unwittingly revealing their users' account names to other Web
       sites--giving spammers precious private data.
       
       The addresses
       are exposed when
       Hotmail and Excite email users receive an email message containing a
       link to a Web site, CNET NEWS.COM has learned. When these Hotmail or
       Excite users click on the link, the Web site's "referral logs" record
       their email addresses.
       
       By itself, this information may not mean much, and a Web site operator
       would have to plow through the site's daily server logs to harvest
       Hotmail and Excite email account names.
       
       But to a direct marketer--such as the Net's notorious senders of
       unsolicited email--this information can be invaluable. The data could
       help unsolicited bulk emailers identify specific users of the free
       email services--helping spammers fine-tune their one-to-one marketing
       tactics and track the outcomes of their sales pitches.
       
       When alerted that its referral headers were revealing customers' email
       addresses, a Hotmail spokeswoman couldn't immediately confirm the
       existence of the hole, but said the company would look into matter.
       
       An Excite executive confirmed that the hole existed, but said he
       doubted it affected many of the service's users in a negative way.
       Still, he told NEWS.COM the firm would quickly work to patch the hole.
       
       "We acknowledge this as an issue. We don't think it is a big issue,"
       said Adam Hertz, vice president of development at Excite.
       
       "It's conceivable that it would enable a spammer," he added. "We will
       remedy the situation by removing the user name from the referral log.
       We want our users to have the most spam-free environment we can create
       for them."
       
       The Hotmail hole was initially discovered by Jason Catlett, founder of
       Junkbusters, a site that offers tools to help people eliminate
       junk email and protect their online privacy. Further investigation of
       other free Web-based email services found that Excite is leaking its
       users' email addresses to other Web sites.
       
       Discovery of the hole is an ironic twist for the Hotmail because it
       has been diligent about canning spam. The company has won lawsuits
       against bulk emailers for abusing its service, and just today the
       company endorsed Rep. Chris Smith's (R-New Jersey) Netizens
       Protection Act to completely outlaw spam.
       
       For Excite, this is the second security hole discovered in its
       increasingly personalized portal. Last month, it was uncovered that
       when shared computer users left their Excite start pages to travel to
       other parts of the Net, the addresses of their personalized pages also
       were recorded in server logs, giving unauthorized third parties access
       to a person's stock portfolio, news preferences, birth date, marital
       status, email address, and other details.
       
       Hertz said this problem has not yet been fixed.
       
       In the case of Hotmail, its numerical IP address and the user's name
       is contained in a site's "referral" log. With Excite,
       "mail.mailexcite.com" appears in the string along with the user's
       account name. These logs tell Web sites where their traffic is coming
       from--which explains why the hole is found in free Web-based email
       accounts.
       
       "The most obvious danger here is that spammers can use it to find out
       exactly who clicks through to the sites that they spam for," Catlett
       said.
       
       "But it could also be used to scavenge email addresses from a site's
       server logs," he added. "There's no practical way for people who have
       been exposed in this way to go back and remove their addresses from
       those logs, even if they could remember where they have been."
       
       Spammers, who often send get-rich quick offers or advertisements for
       pornography, could monitor Hotmail and Excite recipients to see if
       these email users bit the bait by going to a site pitched in a spam
       message. In the case of adult entertainment sites, for example, simply
       delivering traffic can be a lucrative venture. Spammers and other Web
       site owners often are paid for each visitor they supply to an adult
       content site.
       
       These marketers also could use this unique information to send people
       more spam about topics or products in which they have shown interest.
       This unique data also could help determine whether it is true that
       "email marketing works," as many spam messages assert these days.
       
       Overall, this type of unsolicited marketing annoys most people, which
       is evident by the public and regulatory backlash against spam.
       
       "If [the privacy hole] is a reality [and is exploited], it's an
       unfortunate side effect of the overall problem of spam," the Hotmail
       spokeswoman said. "And efforts like the Smith bill will hopefully
       diminish the larger problem of unsolicited email."
       
       Using his server logs, Catlett launched a tool today that lets any Net
       user confirm whether his or her Web-based email account information is
       revealed when they link to a site address from an email message .
       
       He said Hotmail and Excite users should consider the offline
       implications of their email addresses being passed to third parties in
       this fashion. Once unique Net users are being tracked this way, he
       said, it is possible for a marketer to try and match their email
       address to a postal address or to generate banner ads based on their
       proven interests every time they visit a site.
       
       Catlett said the problem could be eliminated if Hotmail and Excite
       changed the way they present referral information by hiding certain
       data so that it doesn't reveal the email addresses.
       
       Of course, any Web site that sends email to Hotmail and Excite users
       could exploit this information. But based on political pressure
       and regulatory threats, many of the Net's most popular sites are
       starting to adopt privacy policies that state they will not track
       visitors based on their unique identities or that if they do this,
       they will not share the data with third parties.
       
       For example, the more than 50 companies that make up the new
       Online Privacy Alliance have promised to let online consumers
       choose how their personal information may be used (including a choice
       to opt out), and to take measures to prevent the misuse of personal
       information when given to third parties. Members of the alliance
       include Microsoft, America Online, IBM, and
       Hewlett-Packard.
       
       Still, these plans were criticized at a Commerce Department summit
       last week for lacking clear enforcement mechanisms.
       
       By passing account users' names on to Web sites, Microsoft's Hotmail
       and Excite may be in violation of their privacy policies.
       
       Hotmail states that it will share member information in aggregate
       form, but that it will not disclose a member's name, mailing address,
       email address, account, and phone number without permission.
       
       Excite, which is a member of Truste, could have covered its
       liability for the apparent breach because it states that it will never
       "willfully" disclose information about its customers to any third
       party without permission.
       
       Hertz said the hole was not a breach of Excite's policy.
       
       "We didn't know about this until today," he said. "I would actually
       dispute that it's a violation of our privacy policy, but the potential
       for nuisance is there."
       
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:10 PDT