A code which may have been created by a WebTV executive to track visitors to its Web site has turned into a hackers' dream - they've been reported embedding Web pages' and newsgroups' HTML with the stealthy code to force WebTV e-mail accounts into sending messages without the user's knowledge.
A community site for WebTV users reported the outbreak to Wired Monday, after the hole was first disclosed by Net4TV. The code is also being used to spam WebTV's abuse mailbox as well as sending e-mail to unsuspecting third party, the magazine reports.
A spokeswoman for Net4TV's parent Iacta.com, Laura Buddine, tells Wired the code first became known to the hacking community last September but became widespread during the past week. The code's been put on newsgroups accessible to WebTV users alone as well as hacker newsgroups like alt.discuss.webtv.hacking, she says.
Buddine says the code in question was first written by a WebTV worker to track site visitors, but quickly turned into a tool for troublemakers. "I could envision someone using it to get others in trouble by sending death threats from other people's accounts," she tells Wired. There are no reports yet, though, suggesting such hackers are using the code to force unsuspecting WebTV users to either receive pornographic e-mail or to visit porn Web sites.
The code can also be used to forward e-mail from sent mail or saved mail folders, the magazine days. Buddine says a WebTV worker has acknowledged the security hole and posted a warning to WebTV users not to visit alt.discuss.webtv.hacking because it would cause erroneous messages to go to the WebTV abuse mailbox, Wired says.
Net4TV has also reported WebTV e-mail accounts that were full would disclose subscriber and user ID information as part of an automatic reply, but WebTV fixed the problem shortly thereafter.
