Freemail Vulnerabilities

By Ira Winkler

February 10, 1999,3700,2205746,00.html

If you have an account on Hotmail, Yahoo!, or Excite, it's vulnerable to hackers.

[And yet, a few years later, Winkler says you have absolutely nothing to worry about from hackers.]

Free email services are a common feature on portal sites, but some of them have serious security vulnerabilities-- specifically, Yahoo! Mail, Excite Mail, and Hotmail

First, these three services allow an unlimited number of log-on attempts. This means that malicious Internet users can perform password guessing and "brute force" password attacks against accounts on those systems. (After three failed log-in attempts, Yahoo! does ask the supposed user if they require help. However, additional log-in attempts are not prevented.)

Second, the user is not notified when a number of failed log-in attempts have occurred. If a password attack had been attempted against a user account, the user has no way of knowing.

These vulnerabilities affect a lot of Internet surfers. Free email services are extremely popular as a Web-based alternative to regular Internet service provider accounts. The ability to access mail from any Web browser and a certain level of Internet anonymity are great advantages that these accounts offer. Security, however, is a distinct disadvantage.

The problems probably are not limited to Yahoo!, Excite, and Hotmail. To test whether a particulare site is vulnerable to a brute-force attack, simply try entering incorrect passwords. If the system allows more than ten invalid password entries without locking out the account, then it probably allows an unlimited number of password-cracking attempts.

[Probably? In his vast years of pen-testing, he hasn't run into a single case of an application or service being vulnerable to brute forcing weaknesses?]

Password crackers attempt to obtain an account's password by exhaustively guessing word and number combinations. For example, an attacker may use a dictionary as the source of words. More sophisticated password crackers will use word-and-number combinations, such as star99. The most time-consuming technique is to try every possible combination of letters, numbers, and special characters. Such attacks can easily be automated. Password cracking is an extremely common hacker technique.

[Password Cracking is not the same as remotely brute force attacking an application like Yahoo or Hotmail. Very few hackers rely on brute forcing as it takes an incredibly long time to complete, regardless of resources. Password cracking relies on having a hashed value of the password and then exhausting all possible combinations.]

To prevent brute-force attacks, a security function should lock an account after an excessive number of failed log-in attempts, typically three to five. Once an account is locked, the user should be emailed about the failed log-in attempts and told to contact the system administrators, who will verify the user's identity. While this would cause a temporary interruption of service, it would prevent the account from being compromised. This is a basic security practice that is built into most computer operating systems.

Admittedly, these vulnerabilities are extremely basic. I was not expecting them to exist on all the systems I examined. I take their presence as an indication that security was not a crucial step in designing these systems.

While the sites all state that users should choose their passwords well, they do not account for attacks that can compromise even the best passwords. This leaves users, who number in the thousands or even hundreds of thousands (industry numbers measure accounts, not the number of users), vulnerable to someone with even trivial programming and hacking skills.

While no attacks have been reported, it is likely that they were attempted. It is also a given that they will be attempted and successful unless action is taken.

I contacted Yahoo! and Excite press liaisons about this issue and received no official reply. Hotmail could not be reached by telephone, and email messages to its technical support groups were not returned.

What You Can Do

Users can't currently do much to prevent their accounts from being compromised. However, until the services redesign their log-in process, surfers should be aware that an attacker may be able to access email messages and other information stored on the system. Attackers may also be able to assume your identity online. Accordingly, you should delete all sensitive messages and not use the accounts to receive sensitive messages.

The best thing you can do is contact your service, let it know how important security is to you, and tell it that you expect it to correct this problem. You can also recommend that it implement the secure socket layer (SSL) protocol for log ins and accessing your information. SSL encrypts the data that you send and receive from a website and has no discernible effect on your system. This protects your information from being read by people using sniffers to read information on the Internet as it is being sent.

[User's can do one thing that is immensely helpful actually; pick a strong password that is not likely to be brute forced. You know, like you recommend shortly after saying user's can't do much. Further, SSL does not prevent the attacks described in this article.]

Picking a Good Password

Although no one is exempt from a brute-force attack, taking a few precautions can make it significantly harder for others to guess your password.

Many people pick passwords that they can easily remember. Unfortunately, that can translate into being easily guessed if someone has minimal knowledge about you. When you choose a password, make sure that it is unusual and not based on personal information or the website itself. For example, I'd imagine that hundreds of people have some variation of the word Yahoo for logging into Yahoo! Mail.

One scary aspect of free email accounts is the measures put in place to help users remember their passwords. Most Web portals realize that their visitors subscribe to many portals or visit the site infrequently, and they have a feature to help people who have forgotten their passwords. Basically, the service allows you to create clues that will remind you of your password. Users can even use biographical information for a password.

For example, the system will ask you what city you were born in. If you answer the question correctly, the service allows you to change your password.

How hard is it to figure out where someone was born, or the name of their dog? In many cases, people might give this information out online in the course of casual exchanges of information. In response to my recent article on You've Got Mail, a woman described her experience being stalked by a former acquaintance. She said he was a brilliant hacker because he broke into her email account.

When I asked her if her stalker could have gained enough information to guess her password or access question, she indicated that it would have been easy for him to know the answer to the question.

My recommendation is that you think of an unusual and memorable answer for a typical question. Let's say you chose the question "What city were you born in?" Answer with the state as opposed to the city. Only you would know to try this unique answering approach.

Finally, when you send out email, try not to divulge private information. If you use a signature file at the end of your email message, remember not to include personal information.

main page ATTRITION feedback