Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on February 18, 2010

Mobile Hotmail Privacy Breach Shows You Someone Else’s Inbox


Mobile Hotmail Privacy Breach Shows You Someone Else’s Inbox

Ceiling Cat is watching your inbox.When we check our email or log into social networks on our mobile phones, it’s natural that we trust it will bring us to the right place. Microsoft is reporting that some Hotmail users have been accidentally shown other users’ inboxes when using the service on their mobile.

In their statement, the company said “Microsoft takes customers’ privacy seriously, and immediately upon learning of these reports, we started an investigation. We will take appropriate action once we have completed the investigation.”

The Windows Live sign in service was down for a bit Tuesday, due to a server failure, and it seems that the two events coincided — but I’m not completely convinced. When this sort of thing happens in mobile browsers, it’s usually on the end of the mobile carrier and how they handle authentication cookies. It all depends on how the cell network is designed. Sometimes, one piece of faulty network equipment routs all the mobile Internet traffic for a particular area, and weird things happen when computers down the line receive the data.

In January, AT&T customers had the same issue with mobile Facebook, in which they were unintentionally logged into someone else’s account — every time the browser was refreshed.

These situations seem rare, but I’ve found a handful of them, very much like the ones above. It opens up a pretty serious issue.

When security gaps exist between a user’s mobile phone and the Web, it can be dangerous — causes include misconfigured equipment, poorly written network software or other technical errors. Though the breach is limited, who knows what one person could gain from accidentally accessing someone’s email inbox or Facebook account.

Encrypted websites would be immune to this sort of mess — banking and e-commerce websites usually do this. You can tell if a website is encrypted quickly by looking at the URL: addresses beginning with “https” rather than “http” are encrypted. Although Facebook uses encryption when user names and passwords are entered, but it’s dropped after the credentials are entered.

So, if you’re one of the users experiencing this issue, hopefully Microsoft will get on with their investigation. I haven’t been able to track down what cellular networks these users are on, but let’s hope everything is resolved ASAP.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Published
Back to top