This is a neato bug, and you can only
find it in microsoft products -=) This story was first reported on
MacCentral.com's Website when computer student Andrew Jung found this hole.
It will not phase most people, but if you are on work or school machines
running Outlook Express 4.5 with multiple profiles you should read
The following is a Maccentral.com article:
Email encryption problems should be solved in
by Dennis Sellers, firstname.lastname@example.org
June 15, 1999, 9:45 am
If you're using a free Mac email application, you inherently have a lack of
secure encryption as Andrew Jung, a computer science student at Camosun
College (Victoria BC, Canada), recently discovered. Jung was using Outlook
Express 4.5 on the family iMac when he came upon what he described a
Jung attempted to use the "Change Current User" menu item of Outlook
Express to access his personal email account (three separate email accounts
were on the family Mac) when he realized he'd forgotten his password. He
clicked "Cancel" was returned to the account selection dialog.
"I selected my step father's account, typed in his password, and got a
message saying that his password was incorrect," Jung says. "I tried again
and again. No go. Then for the heck of it I looked up my password for my
account, tried it, and got it. I did the procedure repeatedly, and I can
reproduce it every time. Whatever account I click and then cancel, that is
the password for all the accounts."
The situation can be reproduced this way:
- Open Outlook Express and at the user account dialog select "New User."
In the settings type in any password you want.
- Select change user from File.
- Select the newly created account, then click "OK."
- Click cancel at the password prompt.
- Select the user's account you would like to break into, and click "OK."
- Type in YOUR password for the new account and you're in.
DON'T try this at work or to access anyone's email account without
permission. This notice is for "demonstration purposes" only.
MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft,
and Product Manager Irving Kwong confirmed the problem. He says Outlook
Express doesn't encrypt mail data stored in the application - but that the
problem isn't unique to Microsoft's free email application.
"Encryption functionality of mail data does not exist in any free Macintosh
email application, as this level of security is best executed at the
operating system level," Kwong says. "Outlook Express' password protection
between multiple users on the same computer is not secure. The password
merely acts as a padlock on users' personal preferences."
So what is a secure solution? Kwong says it's coming with the next ramp of
the Mac OS, codenamed Sonata.
"You may remember Sonata's new multiple user environment being demonstrated
at the WWDC," Kwong says (check out our story at http://www.maccentral.com/news/9905/10.sherlock.shtml).
"We have been working on support for Sonata's multi-user functionality for
Outlook Express and demonstrated this technology at the WWDC. This is the
first offering of system-level security for multiple users sharing a
Macintosh and is the best solution for true support, as it ensures password
and data security. For Outlook Express customers and Macintosh users
looking for a password secure solution for multiple users sharing a
computer, we suggest using the upcoming version of Outlook Express with
Sonata. The combination of Outlook Express and Sonata is a secure solution
for Macintosh users doing email from the same computer. "
Sonata is due in the second half of the year.