Hotmail Program Flaw Is Sending Users’ E-Mail Addresses to Ad Firms
A flaw in Microsoft Corp.’s Hotmail program is inadvertently sending subscribers’ e-mail addresses to online advertisers, the company confirmed Wednesday.
The admission highlights a widespread Internet security problem known as “data spill.” Security experts said similar problems have plagued Internet companies that make personal information available in URLs, or Web addresses.
In Hotmail, the problem crops up when people who subscribe to HTML newsletters open messages that come packaged with banner ads.
“If you have a Hotmail account and you subscribe to an HTML newsletter that serves ad banners, simply by reading the message, the leak occurs,” said Richard M. Smith, a privacy and security expert who brought the design flaw to Microsoft’s attention in mid-June.
“The source of the problem is that Hotmail includes your e-mail address in the [Web address], and if you read an e-mail that has banner ads” the Web address will be sent to the third-party company delivering the banner, he said.
Microsoft said the problem is core to the technology and the way URLs are constructed. “The company is working on something that will eliminate this error in August,” said Melissa Covelli, a Microsoft spokeswoman. “It requires a complete redesign to the technology of Hotmail.
“There’s no evidence that any company has noticed this information, and we know that no consumer e-mail addresses have been abused,” added Covelli, who said the company discovered the flaw a couple of weeks before Smith’s discovery. Hotmail has 67 million subscribers.
Data spills can occur when an HTML page contains an image, or GIF, that is served by a third-party company, such as an ad network. When the image is served, the Web address, including any personal data, is sent to the third-party server so that ad network can know where to deliver the image.
These kinds of data spills abound on the Web.
“This isn’t just local to Hotmail; we’ve seen hundreds of instances of data spills over the course of this year,” said Debra Pierce, staff attorney at the Electronic Frontier Foundation, which has been studying the occurrence.
Sony, for example, had a software flaw last year that allowed advertisers to view e-mail addresses of Sony subscribers on their Infobeat newsletters. Butterball’s electronic newsletter also inadvertently divulged private information about its subscribers last year.
Since its launch, Hotmail has been haunted by problems with its free e-mail service. Last month, after a five-day outage, the site deleted some of its subscribers’ address books, personal folders and archived e-mails.
Smith estimates that the problem has existed on Hotmail for six months and that more than a million Hotmail e-mail addresses may have been given away. While he estimates that nearly 20 ad networks are receiving the user names, Smith said that most of the big ad agencies, including Engage and Avenue A, are throwing away this information.
DoubleClick, the Web’s top ad network, said it doesn’t record such information.
“DoubleClick’s ad servers automatically truncate any personal information that may be inadvertently sent in a referrer URL,” said Jules Polonetsky, chief privacy officer at DoubleClick. Polonetsky said the ad network learned about the data spills several months ago.
