Security flaw found in BT's talk21 email

BT's free web-based email service talk21 has come under fire for lax security after an online businessman stumbled across a flaw that gave him access to users' email accounts.

John Heaton, who runs Hotelkeeper.net, sent a number of marketing messages to members of the hotel trade, including some of talk21's 2.5 million users. He discovered that if recipients clicked on a hyperlink within the email, his website logs gave him a web address linking directly into their talk21 mailboxes.

The vulnerability would have allowed someone to read or send messages, or change personal details provided the web address was accessed within 30 minutes of a user logging off from their account.

A BT spokesman said the problem was isolated and only existed for a short time. BT has made changes to its service to ensure it does not happen again.

"This is an isolated security breach that has now been closed down," he said. "We're not aware of any tampering with our customers' accounts. We don't believe this security breach has been used maliciously."

Heaton said BT was slow to act on the problem, taking 26 hours to only partially fix it. By reviewing the log files he found that the problem must have existed for at least three weeks. He added that Yahoo and Hotmail users are not affected by the problem and that BT's fix does not go far enough.

"BT has disabled the ability for its customers to go on a hyperlink in talk21. I've tested it and the referral page still goes back to an email message, though it no longer allows access to the in-box. If you knew what you're doing you could still get into an account - they've only reduced the problem," said Heaton.

"BT has given an aspirin for a headache rather than look at why people had a headache in the first place."

Matt Tomlinson, business development director of MIS Corporate Defence Solutions, said BT is guilty of lax security, and that cookies should be used to authenticate users to online email services.