A Swedish computer security consultant named Dan Egerstad has found a vulnerability that allowed him to obtain the user names and passwords of at least 1,000 e-mail accounts belonging to embassy employees around the world as well as legislators and civil rights workers in Hong Kong and China, and workers in the office of the Dalai Lama. At least one of the accounts belongs to an ambassador – the Indian ambassador to China. He also says he found some vulnerable accounts at large companies in the U.S. and the U.K., though he wouldn't identify them.

Egerstad posted a list of 100 of those user names and passwords on his web site yesterday to get the attention of the account holders and IT administrators – most of whom he says have so far ignored his warnings about their vulnerability. He also posted the IP address of the e-mail servers.

He won't say exactly what the vulnerability is, but see farther down in this post for details about the program that might be affected. If anyone can figure out what it might be, send me an e-mail.

Egerstad says he's read about a thousand e-mails in the vulnerable accounts and has found some pretty sensitive information. This includes requests for visas; information about lost, stolen or expired passports; and an Excel spreadsheet containing the sensitive data of numerous passport holders – including passport number, name, address, and date of birth. He also found documentation about meetings among government officials.

A reporter for the Indian Express newspaper accessed the account for the Indian ambassador in China and found details of a visit by a member of India's parliament to Beijing and the transcript of a meeting between a senior Indian official and the Chinese foreign minister.

Egerstad says he didn't find any U.S. embassy or government agency accounts that were vulnerable so far. But those he did find – and posted on the internet – were accounts for embassies of Iran, India, Japan, Russia, and Kazakhstan. Forty of the accounts belong to workers at Uzbekistan embassies in various countries. He also posted addresses for the foreign ministry of Iran, the U.K. visa office in Nepal, the Hong Kong Democratic Party, Hong Kong Liberal Party, the Hong Kong Human Rights Monitor, the India National Defence Academy, and the Defence Research & Development Organisation at India's Ministry of Defence.

The information, to no one's surprise, reveals some pretty bad password hygiene. The password for the exposed Iranian embassy accounts, for example, is the name of the country in which the embassy resides or the name of a city. The user name of those accounts is a variation of the same city or country name used for the password. Passwords for accounts used by the Hong Kong Liberal Party include "123456" and "12345678". Some of the workers in Indian embassies use "1234," and the password for the India Ministry of Defence account is "password+1". Workers in the Mongolian embassy in the U.S. were just as lazy; their password is "temp."

Egerstad says he has at least 900 more e-mail addresses and passwords he could expose (and no doubt even more than this if he spent the time looking for them). He says he obtained the data not by hacking any computers or servers but through a man-in-the-middle attack involving sniffing unencrypted data that's broadcasting the password and log-in information for e-mail accounts. He's remaining tight-lipped about most of the details, though I did manage to wring some information out of him. He says no one has figured out the problem program, so if any readers can determine what the issue is, please let me know.

From what he tells me, the vulnerability seems to involve a free encryption program that the users have installed on their desktops. He says the vulnerability lies in the way the users are implementing the software. He wouldn't say conclusively whether or not it's PGP.

"(The victims) are using a technique (to access their e-mail) that they don't understand how it works," he says. "They didn't understand how or why to use it."

He says he found the information a while ago when he decided to test a theory and thinks he's probably not the first one to discover the problem.

"I'm pretty sure someone else has found it but they're just not telling anyone about it," he says, "and are just using it (to read vulnerable e-mail accounts)."

He sat on the information for a while trying to figure out what to do with it. He says he contacted some one of the victims, but got no response, which is what led him to finally post the data. He also says that some Swedish journalists have since contacted all of the embassies whose accounts he exposed online, and that they've been unresponsive for the most part. He knows of only one account in which the password has been changed since he exposed it – that of the Russian embassy in Sweden.

I contacted the owners of several exposed accounts in Hong Kong, but none of them responded to my queries. I did, however, get an answer to an e-mail I sent to Ken Chan at the One Country Two Systems Research Institute of Hong Kong, whose account information and password had been posted on Egerstad's web site. In response to my e-mail warning Chan that his account had been compromised and that intruders might already be reading his e-mail, I got a warm response from someone who clearly had compromised Chan's account and read my e-mail in his inbox. The intruder sent his greeting from a Gmail account:

From: kenloveskim@gmail.com Dear Kimsey. I really appreciate your concern for my email account. You are cute, and i love you. :-) I look forward to be seeing you soon. Take care. Sincerely, Ken.

Photo: Max Ortiz/Detroit News