Internet ; John Geralds in Silicon Valley [26 Aug 2000]

Hotmail instant messaging glitch revealed

Microsoft is investigating a glitch that allows Hotmail users to register outdated accounts and gain access to the associated instant messaging user names and contact lists. The software giant said the issue is being looked into by its security response centre.

The problem came to light last week after a complaint posted on BugTraq, which discusses security vulnerabilities. The warning came from James Nelson, a systems administrator at Cisco who was surprised to see his old contacts list reappear after he registered for a Hotmail account using the same user name he had used for a previous Hotmail account. He said that people may not be aware that contact lists do not appear to be cleaned out after accounts are closed.

A Microsoft spokeswoman acknowledged the company is aware of the problem but did not say for how long or when access to supposedly expired contact lists would be closed off. Hotmail accounts that are inactive for more than three months are suspended and are deleted after a further three months.

The latest complaint follows a general warning made more than a year ago also at BugTraq by Dmitri Alperovitch, a software developer and co-founder of Encryption Software who detailed the programming glitches.

He wrote: "The program is using Hotmail as its user base. So you might findyourself in a situation where you've been unable to access your Hotmail accountfor three months and someone else has registered your account and isimpersonating you on MSN Messenger."

http://www.vnunet.com/news

-- Martin Thompson (mthom1927@aol.com), August 26, 2000