Microsoft squashes Hotmail password hijack bug
Hackers offer to crack accounts for £12
Microsoft has smacked down a Hotmail bug that allowed hackers to lock users out of their own accounts.
Redmond took one day to slap down a glitch that allowed anyone with a Firefox add-on to remotely reset the password of a Hotmail account. The Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data.
When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose. Vulnerability-lab.com outlined the details:
Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access.
The bug seems to have been around for a while, but has recently been targeted by hackers on a larger scale. Blog whitec0de pointed out that hackers online were advertising to crack Hotmail accounts for as little as $20 (£12).
According to the vulnerability-lab.com report: Microsoft was alerted to the flaw on 20 April, and got a fix out on 21 April, one day later. They went public with the fix yesterday.
Hotmail has 364 million users, according to a comscore report from 2010. ®
Re: At Least It Is Not Communism
Please give generously.
So what about those of us that got locked out?
I got locked out of my own hotmail account a few months ago, and many many attempts to get MS to reset the password were fruitless.
They kept telling me that it was my fault for having a weak password, that there was nothing wrong with their security, that someone must have seen me type it in, etc....
Plus they didn't want to reset it because I did not know the new secret word/sentence that the attacker set.
After loads of hassle I gave up (I only really had the account for historic reasons and msn, due to some people still using it), but for those who still used MS for their main account must have had a lot of problems.
So now that it turns out it was a bug, will MS finally start agreeing to reset accounts? Ideally an apology would be nice as well, but I don't think that will happen.
I wonder how long this bug has been known about... I used to remember people telling me about their hotmail getting hacked (even years ago, before gmail for example), but never knew how it was done.
Re: What's not ben mentioned
Microsoft are being VERY quiet on that
After Sophos proved it was impossible, I expect they felt little need to comment.
Nice try, Barry.