Hotmail remote password reset 0-day bug found, patched
Posted on 26 April 2012.
A critical security flaw affecting Microsoft's Hotmail has been detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabia hacker and, until a temporary fix has been put in place by Microsoft on Friday last, it has been used by hackers to hijack users' Hotmail/Live account.

"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password
and bypass in place protections (token based)," explained Vulnerability Lab's researchers.

"The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."

Naveen Thakur offers a description of the exploit of which he saw videos propagating online: "It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the 'I forgot my Password' and select 'Email me a reset link' and start the Tamper Data in Firefox and modify the outgoing data."

The bug was to easy to exploit, he says, and it spread like wild fire through the hacking community and forums.

The Vulnerability Lab researchers discovered the flaw on April 6, and proceeded to inform Microsoft's Security Response Center. A temporary fix for it was issued by the company on April 21, which made attackers who attempted to use the exploit face a "Server Error" message displayed.

But, according to Thakur, the fix didn't go out soon enough for some users. Many who linked their email account to their PayPal, Facebook, Twitter and other accounts got them compromised as well, and some even got money stolen from the former.






Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //