New e-mail security danger follows spy file revelations

By JOSIE CLARKE and MICHAEL FOREMAN

Personal security online took another hit yesterday as hackers targeted Hotmail addresses and Windows users found their systems riddled with spy files.

Microsoft's Hotmail yesterday countered hackers who fleetingly provided malicious users with the chance to read other people's personal e-mails.

A group called Root Core posted details of how to access Hotmail messages on its website, and they quickly spread.

Hotmail is a popular web-based e-mail service, with Microsoft claiming more than 110 million active accounts.

The Herald downloaded the three-step instructions yesterday but found that links listed by Root Core to view Hotmail messages were unavailable.

Matt Bostwick, a spokesman for Xtra, which provides access to Hotmail tools, said that although Root Core had exposed a potential vulnerability, the chance of exploiting it was "theoretically possible but mathematically insignificant".

The flaw potentially allowed people to read specific messages sent to other people's Hotmail addresses after logging in on their own Hotmail account. It did not provide access to the inbox or other parts of the e-mail account.

Root Core's instructions exploit the way Hotmail organises messages, as every e-mail has a consistent format. To gain access to the e-mails, a malicious user needs to know a person's username and guess the number of a message.

Root Core said it had devised a scanning programme that tried about one message number a second.

However, users needed a fast internet connection to run the programme and needed to know how often someone looked at their Hotmail account. Also, a clear trail would lead back to the malicious user's own account.

Mr Bostwick said users could change passwords often, using a mix of letters and numbers, as a defence against hackers.

Meanwhile, the Herald received an unprecedented response from readers yesterday after it revealed details of hidden spy files in Windows computers.

Hundreds of e-mails from readers confirmed that the files, which record internet sites visited and web-based e-mail messages, are present in all current versions of the Microsoft Windows operating system.

Many readers described how the persistent files in the C. IE5 folder allowed them to read others' e-mails without passwords.

One Herald reader, who identified himself as "Simon", wrote that he followed the guidelines and opened only one file, a Hotmail to his son from his girlfriend.

"I had no password. Fortunately, it was only an innocent joke she had sent. But I immediately felt I was intruding ... Microsoft have deceived me by hiding this suspect file in my computer."

"Debra" wrote that she had no problem opening e-mails of her own which she thought she had deleted a long time ago.

Microsoft's New Zealand technical marketing group manager, Terry Allen, told the Herald last night that "this is not a sinister spy file. This is a normal system file that is used internally to speed up the process of browsing."

It did not allow Microsoft or other third parties to retrieve PC-users' web contents.

During the day, the company's help desk talked at least one reader through deleting the files.

The help desk wanted to charge him $35, but waived the charge when he quoted a pledge by a senior Microsoft New Zealand manager that the company would help users remove the files.