UK: BT Internet security breachgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
BT internet security breach
By BBC News Online's Iain Rodger
A serious internet security breach has been discovered at BT's free e-mail service Talk21.
The security failure came to light when John Heaton, who runs his own online business, found he was given full access to other people's e-mail accounts by accident.
He found he could change personal details and read or send messages from within those accounts.
Mr Heaton stumbled upon the fault after he sent a marketing e-mail about his company, Hotelkeeper.net, to hoteliers around the country, which contained a hyperlink to his website.
Like many other internet businesses, Hotelkeeper.net uses freely available software to gather information about visitors to its website for marketing purposes.
The software package tells Mr Heaton where visitors go while browsing on his site and also the site they were looking at before they came to Hotelkeeper.net. It does not gather any personal information about the visitor.
When hoteliers who received Mr Heaton's marketing e-mail clicked on the hyperlink to go to his site, this was registered by the software package as a visit.
By clicking on the record of the visit, Mr Heaton would expect to see details of where they had come from and how they had travelled around his site.
Instead, when he clicked on records from "a couple of dozen" visitors who had e-mail accounts at Talk21, he found he was taken straight into their accounts.
"I was utterly astonished", he said, and he immediately phoned a BT helpline to report the fault (1800 GMT on Wednesday).
He said he was told to e-mail a 24-hour "priority address" at Talk21, which he did.
When he had received no acknowledgement by Thursday morning, he e-mailed again at 0930 GMT and 1100 GMT. He also checked to see whether the fault had been cured and found it had not.
Contacting BBC News Online, he said: "I was angry that I received no response from BT over such an appalling security flaw.
"I stumbled across this breach - potentially affecting thousands of BT customers - in a perfectly legal and everyday manner.
"Companies have to realise that the much-hyped development of the internet just won't happen if people are worried about security."
-- Jim McAteer (email@example.com), September 29, 2000
BT bungles security fix
By BBC News Online's Iain Rodger
BT has bungled fixing a serious internet security flaw, raising further questions over one of the UK's biggest telecoms companies.
On Friday morning, BT claimed it had installed a "patch" for the problem, but in fact it had not solved it at all.
Originally, anyone monitoring visitors to their own website using certain software could, with one click, find themselves given full access to private Talk21 e-mail accounts.
After the patch, they would find they were instead shown the private e-mail containing the hyperlink which the Talk21 account holder had used to visit their website.
In other words, still a serious breach of security.
Computer experts said it would be very simple for anyone with technical knowledge, and who was so inclined, to work back from that e-mail into the user's Talk21 account, as in the original security breach.
At first, BT spokesman Simon Gordon told BBC News Online the problem had been solved.
However, when the new flaw was explained, he passed the details to BT's technical staff.
"We will have a new patch in place in an hour or so," he said at 1400 GMT, stressing that BT took security issues very seriously.
-- Jim McAteer (firstname.lastname@example.org), September 29, 2000.