Microsoft patches zero day password reset bug in Hotmail

Leeky

Posts: 3,357   +116

Microsoft has rushed out a fix for a critical zero day bug on their popular Hotmail service after it was discovered by a security researcher earlier in the month. Although it was reported to Microsoft in a timely manner, details of the exploit were leaked to the hacker community, which then started offering to hack users' Hotmail email accounts.

The vulnerability was first discovered and reported to Microsoft by a member of the popular Saudi Arabian security forum dev-point.com. Details on how to exploit it were then leaked to hacker sites.

The vulnerability enabled those actively exploiting it to reset a user's Hotmail password, locking its owner out of the account and giving the hacker complete access to their inbox. It is believed that it took advantage of the way Hotmail's password reset process passed data back and forth between the browser. By using Temper Data, an add-on tool for the Firefox browser they were able to capture the outgoing HTTP requests in real-time and then modify them how they chose.

"Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values "+++)-". Successful exploitation results in unauthorized MSN or Hotmail account access," Vulnerability-lab.com wrote in an announcement on its website.

As knowledge of the process spread further, videos of accounts being taken over in real-time were uploaded to YouTube. Online security magazine, Whitec0de documented hackers, even started offering to break into Hotmail accounts for as little as $20. Microsoft responded by immediately quashing the zero day bug.

The firm also released a brief statement via their official Security Response Twitter account: "On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed."

Permalink to story.

 
Back