WebTV Security Breach: Hijack Code Can Forward Stored Mail
By Laura Buddine (January 2, 2000)
UPDATE: WebTV Says Email Hijack Code Fixed
WebTV Networks is now reporting that the "email hijack code" that had allowed malicious
exploitation of users' email accounts and opened their stored mail to prying eyes has now
Updated Story, Jan 6, 2000
Net4TV Voice has learned that the "hack" code that is being used to send email from a WebTV user's box without the user's knowledge also is being used to compromise the security of users' stored mail.
The code, which is being embedded in posts in WebTV's alt.discuss newsgroups, emails and web pages, directs any WebTV box that loads the page to send an email message to an address set in the code. The code executes "in the background;" users who have sent the mail do not see any indication of mail being sent, and only find out about it if they receive a reply or look in their Sent Mail folders.
Now, Net4TV Voice has learned that the code has even more serious security implications. It also has been used to forward email from users' own Sent Mail and Saved Mail folders to an address set in the code. Although hackers cannot directly see the email that a WebTV user has within his/her own account, they can forward it out into their own email account on another service, helping themselves to a user's private correspondence and information. Net4TV Voice has been shown how this can be done, and also has heard from one user whose email account has apparently been violated.
Code Known At Least Since September
The basic email code that is the key to controlling a WebTV user's mailbox has been known by some users since at least September, when it was discussed in one of the WebTV hacking newsgroups. A number of the frequenters of the group used the code to create "receipts" in their mail so that they would receive a mailback when the email was opened and read, or as a watch of their web pages so that they could see who was surfing it. "It was not intended to be used for malicious purposes," wrote one of the WebTV users who made use of the code. "Of course, some with questionable intent got a hold of the code
and used it for other than the original purpose."
Mods Know About Code, But Customer Service, Abuse Don't Get It
Among other things, the code has been used to bombard WebTV's Abuse Department with profane complaints, and to cause users to unknowingly send nasty messages to others. One of the problems is that there is no way within the email itself to prove that the box it came from did not originate the email; one WebTV user has written to Net4TV Voice that WebTV's Compliance Department is threatening her with termination for "spamming," even though the email is being triggered by an email containing the code that is in her box.
On December 21, a moderator in the official webtv.users newsgroup posted a warning that users should not go into a hacking newsgroup because of the code. The warning, which was published in Net4TV Voice's mid-issue story, User Alert: WebTV Email 'Hack' Can Send Mail From Your Box, claimed that the code itself was created by "some users." In fact, the code was created by WebTV itself (as were all elements and codes in the WebTV software). Net4TV Voice has since been advised that the code itself was previously posted in webtv.users and was "slipped past the mods."
Often, the emails containing the code also contain another "no send" code that prevents them from being forwarded or "bounced." This prevents the trouble-making mail, post, or page from being forwarded to WebTV Abuse as evidence. This has led to some ludicrously frustrating exchanges with WebTV Customer Service in the WebTV Help Center, which insists that they cannot do anything and that posts must be forwarded to Abuse before action can be taken. WebTV user JaxRed offered this example that he had received after he wrote to them explaining the problem and that the posts had "no send" codes preventing them from being forwarded:
Thank you for writing WebTV.
We understand your concern regarding this matter. However, this is not
an issue that the Customer Service Center, can help you with. We
apologize for the misunderstanding on our part regarding this
matter. However, this is a matter that you will to forward (sic) on to
Abuse@webtv.net. Abuse will look into this matter further for you.
Please forward any and all the information that you have regarding this
matter to Abuse@webtv.net. Please only forward this matter once, as if
this issue is forwarded more than once there is a chance that this issue
will be rejecked.(sic)
Another user, however, received a different response from the Customer Service Center when she complained about a post made by a self-proclaimed hacker:
Thank you for writing WebTV.
We are aware of this issue and are working on removing this person. We
do appreciate your feedback. I will pass this information along for you.
Waiting for WebTV's Response
Net4TV Voice contacted WebTV Networks on Thursday in preparation for this story, but were advised that because of the New Year's holiday, they would be unable to respond until January 3. Although we declined to hold the story to wait for their response, we will post an update to the story when we receive it.
However, Net4TV discussed the issue with a former WebTV employee who was involved in the operation of the WebTV servers. These were his comments:
WebTV's machines already filter certain content before sending it
along to our boxes. They call it transcoding. Essentially what happens
is they replace certain HTML with their own, mainly for their own
security but also for functionality in some cases. What this means is
that WebTV's machines already go through every line of code, whether on
a web page or in an e-mail or newsgroup post, looking for the offending
HTML and transcoding as necessary before our boxes receive it.
That's why I can't understand what's taking them so long to fix this
thing. It's probably easier said than done but a quick solution would be
to add this mail exploit code to the list of code they're already
filtering and be done with it, at least until they can address the
problem more thoroughly in a future client build. That'd have to be done
eventually because there are certain situations where our boxes by-pass
WebTV's machines (and thus the transcoding) but in the meantime the
overwhelming majority of the problem would be solved.
WebTV's Security History
This is not the first time that codes that WebTV created for their own purposes have either been leaked or discovered by users and used to create security holes and "bombs." About eighteen months ago, WebTV's email was actually hacked by a WebTV user, who was then trapped by a "hacking contest" that got him to reveal how he had done it. The hack was reported by the "trapper" to WebTV and that hole was closed.
But more holes remained, including some that had many WebTV users playing "Doom" long before it was released (and only to DishPlayer users). Last spring, some WebTV users found another code that could be used to insert and rearrange Favorites folders in other users' boxes, while the use of a WebTV code that could wipe out users' accounts (the Amnesia Bomb) caused such problems that WebTV was forced to rush out a browser update to stop it (Amnesia Bomb Halts Plus Update).
The most serious security breach was revealed in September, when Net4TV Voice broke the story WebTV Spam Block Revealing User, Subscriber IDs. WebTV tried to downplay the seriousness of the breach, claiming that nothing could be done with the IDs even if they were revealed (not true -- with a user ID known, it was possible to terminate a user's account remotely); WebTV's Customer Service department even sent email to users in which they claimed that the Net4TV Voice story was "bogus" and that Net4TV was working with spammers to get the maximum amount of spam delivered to WebTV users. When confronted by CNet and ZDNet, however, WebTV admitted the security breach was true but stated that it had been fixed.
Microsoft itself has also had its security problems, with breach after breach in HotMail security finally causing the company to announce that it was calling in an independent outside auditor to review its security. Microsoft would not release the name of the auditing company, stating only that it was one of the "big five," but did admit that its biggest breach had been caused by a string of code that hadn't been tested for security. When the flaw was first revealed, Microsoft claimed that its security had been broken by sophisticated hackers, armed with powerful software tools. In October, Microsoft announced that Truste had OK'ed the security fix at HotMail.
WebTV itself has also drawn fire because of its collection of user data; although then-CEO Steve Perlman revealed in October 1998 that WebTV was recording its users' activity on the Net and on TV (see WebTV Is Watching You), it did not offer its users the ability to "opt out" of being recorded until the HipHop upgrade in November, 1999, over one year later.
"It's not that I only don't trust WebTV not to sell information they have on me," wrote one user to Net4TV Voice, "I don't trust them not to just let it out accidentally because they didn't lock the door. I'm beginning to wonder if they even care about anyone's secrets except their own. I just traded up to a new WebTV Plus and I used my son's credit card. He's got a different name and a different billing address -- but they never even asked for anything except a card number and an expiration date... it could have been anyone's."