BT's free web-based email service talk21 has come under fire for lax security after an online businessman stumbled across a flaw that gave him access to users' email accounts.

John Heaton, who runs Hotelkeeper.net, sent a number of marketing messages to members of the hotel trade, including some of talk21's 2.5 million users. He discovered that if recipients clicked on a hyperlink within the email, his website logs gave him a web address linking directly into their talk21 mailboxes.

The vulnerability would have allowed someone to read or send messages, or change personal details provided the web address was accessed within 30 minutes of a user logging off from their account.

A BT spokesman said the problem was isolated and only existed for a short time. BT has made changes to its service to ensure it does not happen again.

"This is an isolated security breach that has now been closed down," he said. "We're not aware of any tampering with our customers' accounts. We don't believe this security breach has been used maliciously."

Heaton said BT was slow to act on the problem, taking 26 hours to only partially fix it. By reviewing the log files he found that the problem must have existed for at least three weeks. He added that Yahoo and Hotmail users are not affected by the problem and that BT's fix does not go far enough.

"BT has disabled the ability for its customers to go on a hyperlink in talk21. I've tested it and the referral page still goes back to an email message, though it no longer allows access to the in-box. If you knew what you're doing you could still get into an account - they've only reduced the problem," said Heaton.

"BT has given an aspirin for a headache rather than look at why people had a headache in the first place."

Matt Tomlinson, business development director of MIS Corporate Defence Solutions, said BT is guilty of lax security, and that cookies should be used to authenticate users to online email services.

See also:

Hotmail can be used to launch email bombs

Microsoft's Hotmail can be used as a tool for flooding and email bombing because of a weakness in the free email service that the software giant admits will not be fixed until tomorrow.  13 Nov 2000

E-insurance: know the risks

Network managers may face a hefty increase in their premiums unless they can prove to insurers that their ecommerce systems are secure.  26 Sep 2000

Hotmail instant messaging glitch revealed

Microsoft is investigating a glitch that allows Hotmail users to register outdated accounts and gain access to the associated instant messaging user names and contact lists.  26 Aug 2000

Barclays online bank suffers another blow

Barclays bank has suffered another embarrassing incident, calling the security of its online banking service into question yet again.  11 Aug 2000

Hotmail to finally move to Windows

Microsoft will this autumn finally address the embarrassing fact that its Hotmail email service is not running on Windows servers.  09 Aug 2000

Microsoft admits to Hotmail privacy flaw

Microsoft has been forced to completely redesign the technology behind its Hotmail free email service after a privacy flaw came to light.  15 Jul 2000

Hotmail defended from virus slur

Microsoft last week hit back at allegations that it is not doing enough to prevent its Hotmail service becoming a carrier of potentially devastating macro virus infections.  03 Nov 1999

BT jumps onto bandwagon for internet access

  08 Oct 1998

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!