Personal email kept by more than 10,000 users of a Web-based email service may have been exposed to crackers because of a security and privacy bug that is almost a year old.
MailStart and MailStart Plus allow consumers to read and send their email from anywhere they find a Web browser. The services allow consumers to view and send email from both personal and business accounts.
But until Tuesday morning, the site was vulnerable to the "::$DATA" bug. That hole grants virtually any casual Web user access to the source code used in Microsoft's Active Server Page (ASP) protocol applications running on Microsoft's Internet information servers.
"They don't understand or are not maintaining their own security and may be contracting out their security and don't know what they are doing," said the system administrator who discovered the bug but spoke on condition of anonymity.
"We did find that one of our machines did not have the patch ... one of our most powerful machines," said Richard Sutherland, MailStart's president.
Sutherland confirmed that a sophisticated attacker could have accessed the company's database of subscriber email. The company closed the hole Friday morning.
The administrator who found the bug used it to view the source code that allows users to retrieve their forgotten passwords, and another that logs into the site's advertising server.
"It seems that this not only puts individual user data at risk, but opens the possibility of connecting to your SQL server from outside and using the revealed DSN and password to do a mass download of user info," the source wrote in an email sent to MailCity administrators.
Sutherland said that the machine was probably vulnerable for about two-and-a-half weeks. He said that the machine had crashed at that time, and had been rebuilt by an administrator who neglected to patch the bug. The company has changed all its server login passwords, and said that a check of server logs showed that no information was compromised.
The bug was first made public in June 1998 and was patched by Microsoft several days later.
Sutherland said that MailStart launched about two-and-a-half years ago.
MailStart, and its subscription-based cousin MailStart Plus, are members of the Truste privacy seal program. Truste licensees agree to adhere to their privacy policy.
"We take great pride in providing you with a strong privacy policy," the company says on its Web site. "To further insure [sic] the integrity of data stored on our network we utilizes [sic] all necessary and available security."
Under the standard Truste agreement, sites found to have violated their policies must submit to a comprehensive technical audit and investigation of their information practices.
ASP is a technology that allows webmasters running Microsoft's IIS Web servers to create content "on the fly," by accessing various databases and running programs on the server that actually assemble pages.
Such ASP code is normally hidden from the end user, who only sees the completed Web site page. But the code can contain sensitive information such as "connection strings" that tell the server how and where to log in to a nonpublic database.
Anyone can exploit an unpatched server by simply appending the text ::$DATA to the end of the address of any ASP Web site. That loads a copy of the source code, complete with embedded logins or passwords.
The admin who discovered the bug did not attempt to use the login scripts he discovered with the bug, and did not know if they would have connected him to the site's private email databases.
"A user who has the name of the [internal] database as well as the password could potentially connect as a remote user and have access to everything in the database," said the source.
Russ Cooper, moderator of the NTBugTraq mailing list, said that he was not surprised by the incident.
"Far too few people pay attention to the hot fixes and service packs," said Cooper, referring to the security updates regularly released by Microsoft. "Way too many people install what they get right out of the box."
Cooper said he has never received any reports of a cracker actually exploiting a company's bug.
"The approach is 'Are they the right email provider for you?'" Cooper said. "If they haven't patched the system after a year, then ... what other problems are they presenting to the subscribers of the service?"
For Sutherland, the lesson has been a painful one.
"This is incredibly embarrassing. It has been a big lesson for us," he said, and pledged that he would personally pay more attention to security issues in the future.
