BT finally patches e-mail bug after user warnings



Antony Adshead

BT has had to patch a security bug in its e-mail system after being alerted by an eagle-eyed IT professional.

John Heaton of...



Antony Adshead

BT has had to patch a security bug in its e-mail system after being alerted by an eagle-eyed IT professional.

John Heaton of Hotelkeeper.net discovered the flaw while checking his system software. Heaton found that referrals to BT's Talk21 e-mail users in his Web site statistics logs contained links giving access to their in-boxes and other mailbox features.

Heaton tested the vulnerability by setting up another Talk21 account and replicating the actions. As soon as he found out about the problem he telephoned and then e-mailed BT.

However, when several e-mails over a period of 18 hours drew no reply from BT, Heaton told the company he would go to the press unless it acknowledged the flaw. BT finally telephoned Heaton 36 hours after his initial contact, by which time he had already contacted the BBC.

Ovum analyst Paola Bassanese said, "The service has no security whatsoever. When you register for free e-mail you should see the padlock symbol - Talk21 does not have this.

"User name and password security alone is inadequate - there is no encryption on Talk21 or use of SSL sessions. What the user has pointed out is a configuration problem with Talk21. The site should not allow the storing of Web site pages."

A BT spokesman said, "The problem was fixed within three hours and there was no evidence that any e-mails were tampered with. We are now reviewing security across the whole site."

The spokesman would not comment on BT's failure to respond to Heaton's initial warnings, but said, "We are grateful that Mr Heaton made us aware of the problem."

A message on the Talk21 Web site said, "This problem has been fixed and no customers have been affected. We constantly monitor security for your protection and we will continue to do so."

Read more on Operating systems software

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close