Hotmail audit confirms Microsoft security

Microsoft this week said an outside audit of Hotmail confirmed that it had fixed security holes in the email service.

However, because the full audit report had not been made public the whole exercise has been criticised by security experts.

Microsoft had to shut down the free service in August when a security flaw that compromised the privacy of 40 million Hotmail users was discovered.

Any person could access any Hotmail account without a password. An unauthorised party merely needed to know a user's name, which is often found in the Hotmail email address. Security experts said at the time that intruders could see a user's messages and even take control of the account.

Truste, a non-profit group that monitors Web privacy, recommended that Microsoft hire an outside auditor to provide validation that the security issue had been resolved.

Microsoft agreed, and said in statement: "Based on the inquiry by a [as yet unnamed] Big Five accounting firm, Truste and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that it is in compliance with the Truste licensing agreement."

The sofware giant also said it had implemented several quality-control procedures to help prevent future incidents of this kind.

However Jason Catlett, president of security specialist Junkbusters, was dissatisfied with events. "Suppose that a nuclear reactor leaked and the company commissioned a investigation by an independent engineering firm then claimed everything was fine but declined to even name the engineering firm, let alone make the report public. They would be scorned, and so should Truste and Microsoft," he said.

Catlett added: "Their parading of this cynical PR ploy as a triumph of self-regulation is a laughable travesty."