BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Business
Front Page 
UK Politics 
Market Data 
Your Money 
Business Basics 
Talking Point 
In Depth 

Friday, 29 September, 2000, 15:36 GMT 16:36 UK
BT bungles security fix
BT Talk21 e-mail account
"Problem eradicated"... except that it wasn't at all
By BBC News Online's Iain Rodger

BT has bungled fixing a serious internet security flaw, adding to the concerns of customers at its free e-mail service, Talk21.

I was very surprised and disgusted that a company of BT's calibre still had the site available even after the fault was reported by BBC News Online

The breach of security was revealed by BBC News Online on Thursday.

It meant that Talk21 e-mail accounts were vulnerable to unauthorised access, without any hacking, through a quirk of software computer experts described as "obvious" and "simple to prevent".

On Friday morning, BT claimed it had installed a "patch" for the problem, but in fact it had not solved it at all.

New flaw

Originally, anyone monitoring visitors to their own website using certain software could, with one click, find themselves given full access to private Talk21 e-mail accounts.

After the patch, they would find they were instead shown the private e-mail containing the hyperlink which the Talk21 account holder had used to visit their website.

In other words, it was still a serious breach of security.

Talk21 website message
Statement on Talk21 website

Computer experts said it would be very simple for anyone with technical knowledge, who was so inclined, to work back from that e-mail into the user's Talk21 account, as in the original security breach.

At first, BT spokesman Simon Gordon told BBC News Online the problem had been solved.

However, when the new flaw was explained, he passed the details to BT's technical staff.

"We will have a new patch in place in an hour or so," he said at 1400 GMT, stressing that BT took security issues very seriously.

Hot mail

In the meantime, a number of users have contacted BBC News Online to say how angry they are that BT did not put a statement on the Talk21 website warning account holders of the security risk.

One said: "I was very surprised and disgusted that a company of BT's calibre still had the site available even after the fault was reported by BBC News Online."

Another claimed that users of BT's mobile messaging service, Genie Internet, had been suffering similar security problems for "the best part of a year".

BT's Simon Gordon said an apology and explanation "reassuring users" would be put on the site once the problem was solved.

So far, only the message pictured above has appeared.

He said BT had not put a statement on the site sooner because it felt there was nothing to be gained by alarming account holders when the company had no evidence that any of them had "suffered any damage".

Less than 24 hours ago, the company said it had no evidence of any security breach.

Search BBC News Online

Advanced search options
Launch console
See also:

28 Sep 00 | Business
BT internet security breach
28 Apr 00 | Business
Security glitch at BT broadband
02 Aug 00 | Business
Security fears hit e-commerce
02 Sep 99 | Sci/Tech
Hackers hit Hotmail
02 Sep 99 | Sci/Tech
Your reaction to the Hotmail hackers
11 Feb 00 | UK
A - Z: Hack attack
14 Sep 00 | Business
Web fraud made easy
30 Aug 00 | Business
BT launches fast net connection
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Business stories are at the foot of the page.

E-mail this story to a friend

Links to more Business stories