Microsoft Fixes Severe Hotmail 0-day Password Hole After Widespread Exploitation
Microsoft quietly released a fix to close a major security hole, which allowed anyone with basic computer knowledge to hijack anyone's Hotmail account.
Microsoft quietly released a fix for a severe security risk discovered in their Hotmail servers. The flaw affected Hotmail’s password reset system, allowing an attacker to reset the target’s email password without their knowledge. In fact, the error was so severe that any and every Hotmail account was vulnerable to the attack.
The flaw relied on an error in the way Hotmail handles password reset requests. In order to prevent anyone but the owner of the account from resetting the password, Hotmail’s servers use a token-based system, where the user clicks a link in an email sent to them by Hotmail’s servers which contains the token information; the link then allows the user to reset their password. The flaw lied in the way Hotmail’s servers verified the tokens, allowing attackers to reset the passwords of any account they wanted.
The hack was so easy to perform that hackers initially offered to crack any Hotmail account for as little as $20. Eventually, the method became known to a wider audience and began to spread like fire across the internet, but was more prevalent among the Arab communities. The flaw was discovered independently by a Saudi hacker at dev-point.com and by the team at Vulnerability Labs. Vulnerability Labs discovered the flaw on April 6th, but waited until April 20th to report it to Microsoft, who released a fix within hours of receiving the notice.
If your account was hacked using this method, it will be fairly easy to spot, as your password will no longer work when attempting to access your account. Regaining access to your account may be a problem, however, because one of the first steps a hacker takes in an attack like this is to change the recovery information once access to the account has been obtained. This prevents the target from regaining access to their account. Submitting a support ticket to Hotmail’s support staff would be the only recourse available at that point.
Source: Ars Technica