UPDATED STORY 9/18/99 Click here for latestUPDATE 9/15/99
WebTV has acknowledged the problem to Net4TV Voice and ZDNet, who also ran the story, and says the problem has now been fixed. Net4TV Voice has tested the known methods of retrieving user and subscriber ID numbers, and did not find evidence of the numbers being exposed with their the spam block on or off.
However, Net4TV Voice has learned that WebTV's Customer Service is now telling users by email that there never was a problem, and that Net4TV Voice report was a bogus report designed to get users to take their spam block off so that as much spam as possible could be sent to WebTV users.
In their comments to ZDNet, WebTV downplayed the effect of the leak, stating that it would be difficult for someone to "alter" a user's account with this information. "Alter," perhaps, but Net4TV Voice has learned that, with the user ID, it is very easy for anyone who knows how to terminate a user from anywhere, without the targeted user even turning on his box.
Net4TV Voice is working on a detailed update that will be published within a couple of days.
A major security flaw in WebTV email is revealing subscriber ID and user ID numbers when the spam block is on and email bounces from a full mailbox. These numbers can be used to identify you under various email addresses, and in the wrong hands, can even be used to terminate your account. WebTV has been notified of this hole but, as of this posting, it is not yet fixed. The protection from this hole, until it is permanently fixed, is to turn the spam filter option in WebTV email OFF.
Information Revealed in Bounced Email
When your WebTV mailbox is full, any email sent to it is returned by the mail server to the sender with a set of codes that reveal why the mail bounced. The header below is an actual portion of an email that we bounced on Sunday, September 12, and is the way that WebTV email is supposed to be returned from a full mailbox. (Note: these were done as a test with the cooperation of the user, and the user's actual email name has been replaced by us with "username" for privacy; otherwise, it is exactly as received.)
Final-Recipient: RFC822; UserName@webtv.net
X-Actual-Recipient: RFC822; username@mailsorter-102-1.iap.bryant.webtv.net
Action: failed
Status: 5.0.0
Remote-MTA: DNS; postoffice-102.iap.bryant.webtv.net
Diagnostic-Code: SMTP; 554-The incoming mailbox for user username is full.
Last-Attempt-Date: Sun, 12 Sep 1999 18:27:24 -0700 (PDT)
However, when the WebTV spam filter is ON, the WebTV mail servers are returning more information, including the unique identifying user-id and subscriber-id. The user-id is the unique identifier of the email addy, and the subscriber-id is the unique identifier of the subscriber; the subscriber-id is the same for all email addresses on the WebTV box. The header portion below is an email to the same user with the spam filter turned on. (Most of the actual digits in the user-id and subscriber-id numbers have been replaced with 0's to protect the user's identity and account.)
Final-Recipient: RFC822; UserName@webTV.net
X-Actual-Recipient: RFC822;
username?user-id=100000004&subscriber-id=100000001&category=brynt5
&spam-enabled=false@mailsorter-101-4.iap.bryant.webtv.net
Action: failed
Status: 5.0.0
Remote-MTA: DNS; postoffice-102.iap.bryant.webtv.net
Diagnostic-Code: SMTP; 554-The incoming mailbox for user username is full.
Last-Attempt-Date: Sun, 12 Sep 1999 13:59:10 -0700 (PDT)
From Net4TV Voice's and other users' experiments, the cause of this security breach can be seen in the portion of the header that reads &spam-enabled=false. (Apparently, if you turn off the WebTV spam block that prevents many outside domains from sending you mail, you become "spam-enabled" according to WebTV.) The spam-block, and the security hole, may be active on some accounts and not on other accounts on the same box.
Although it may result in more annoying spam reaching your box, for security reasons, Net4TV Voice urges you to TURN OFF (un-check) the spam block option in your WebTV email for EACH of your user addresses. NOTE that the spam block is the default -- this means that it MAY be on in your email, even if you have never turned it on.
Discovering the Flaw -- Ten Months Ago
Net4TV Voice was first notified of the problem in November, 1998, by WebTV user Fabrikator, who started seeing user and subscriber IDs appear in some bounced mail from his mailing list. We tried ourselves to duplicate the flaw by bouncing from our WebTV boxes, but were unable to do so. However, since we had the actual headers forwarded to us from Fabrikator, we knew that it was real.
Net4TV Voice immediately contacted John Lee of WebTV Networks who had been our contact in the WebTV developer program, notified him of the discovery, and forwarded the email headers. We asked that WebTV notify us when the bug was identified and fixed, and told them that, to avoid a flurry of mailbombing from users out to discover other users' id numbers, we planned to hold the story until they notifed us that it had been fixed.
We never received any notification from WebTV. Three weeks later at the Western Cable Show, we brought up the issue with WebTV spokesperson Aaron Mata and Waggener-Edstrom (WebTV's PR agency) Account Executive Nikki Weibe. They advised us that WebTV had already known about the bug and had fixed it prior to our notification. When we told them that we had information from the user who had told us that it was still happening, they stated that he was probably a Previewer on a test server and that it was not a problem.
Approximately one week ago, WebTV user Norm Takahashi let us know that Ids were being revealed and that it was now system-wide. He had run some tests and identified the cause. We duplicated the tests and validated them, both on our own boxes and also with some of our friends. We also reviewed the full mailbox bounces from our last two Paperboy mailings, and found IDs exposed in about 70% of them. We are not certain that every WebTV mailserver is exposing the IDs, but we have been able to see that there are several servers that are doing so.
Both the user who helped us complete our tests and Net4TV Voice have notified WebTV of the situation, and we have asked for comment. We will post an update when a comment is received from WebTV. If WebTV notifies us that the problem has been fixed and we are able to validate it, we will also advise our readers in an update.
The Danger in the Exposure of Your IDs
The first and obvious security concern with the exposure of user and subscriber IDs is the loss of anonymity that you may have. As a simple example, if John_Doe and Robert_Roe have the same subscriber ID, anyone with the IDs from both of those users will be able to identify that they are using the same WebTV box. Some users might not mind, but many would not like to have all of their email addresses identifed with their primary user.
But a more serious concern is the the potential invasion of your WebTV account and private information, and even the ability for someone far away to target you and terminate your users or your service. Net4TV Voice has been advised by knowledgeable sources that this is very possible, and even how it is done.
Yet More Microsoft Security Issues
This latest security hole comes on the heels of HotMail's failure to check passwords, which Microsoft attempted to pass off as an an "attack by an expert hacker, using state-of-the-art tools." Millions of HotMail accounts were left wide open to anyone who cared to look; all that was necessary to get in was the HotMail email address of the user whose mail you wanted to read. Another flaw in the HotMail system is that users cannot delete their accounts, once they have been set up.
Last fall, Net4TV Voice published the story WebTV is Watching You about then-president Steve Perlman revelations that the company was collecting data on WebTV users' TV-watching and Web-surfing habits. Perlman stated that no personal data would be released about individual users until the company had a method of allowing individual tracking to be turned off, promised for sometime this year. WebTV has made no further comments about when or if such a feature would be available. WebTV claims to have a strict Privacy Policy, although analysts reviewing it and the WebTV Terms of Service have identified conflicting statements in the two documents. WebTV also displays the TrustE certification on its corporate site, but the certification ONLY applied to its corporate site on which it doesn't ask for user data.
How Do You Feel About Your Own Privacy?
We've asked several times for feedback from our readers about their security and privacy concerns, but in light of the current news, we thought we'd ask again to see if the concerns have changed. So, how do you feel about your personal privacy and security on WebTV and the Net at large? It's our Question of the Week.
