Hotmail remote password reset 0-day bug found, patched

A critical security flaw affecting Microsoft’s Hotmail has been detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabia hacker and, until a temporary fix has been put in place by Microsoft on Friday last, it has been used by hackers to hijack users’ Hotmail/Live account.

“The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password
and bypass in place protections (token based),” explained Vulnerability Lab’s researchers.

“The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values ‘+++)-‘. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.”

Naveen Thakur offers a description of the exploit of which he saw videos propagating online: “It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the ‘I forgot my Password’ and select ‘Email me a reset link’ and start the Tamper Data in Firefox and modify the outgoing data.”

The bug was to easy to exploit, he says, and it spread like wild fire through the hacking community and forums.

The Vulnerability Lab researchers discovered the flaw on April 6, and proceeded to inform Microsoft’s Security Response Center. A temporary fix for it was issued by the company on April 21, which made attackers who attempted to use the exploit face a “Server Error” message displayed.

But, according to Thakur, the fix didn’t go out soon enough for some users. Many who linked their email account to their PayPal, Facebook, Twitter and other accounts got them compromised as well, and some even got money stolen from the former.