Microsoft fixes Hotmail password flaw

 

Gallery

By Nicole Kobie

Posted on 27 Apr 2012 at 09:53

Microsoft has fixed a Windows Live flaw that allowed hackers to access Hotmail accounts.

First spotted earlier this month, the flaw let attackers abuse the password recovery system to take over accounts by using reset tokens - the link sent out to rest a password when you forget what it is.

According to reports, all the hacker had to do was request a password reset and then intercept and alter the link using a Firefox add-on called Tamper Data.

Microsoft quietly fixed the problem last week. "On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed," Microsoft said via Twitter.

According to a report from NetworkWorld, the hack was initially sold on forums in the Middle East for $20, but quickly spread. Ihe report suggests millions of accounts were targeted, but it's not yet clear how many accounts were compromised.

Researchers at Vulnerability Lab described it as as a "high severity" problem.

"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values," the site said. "Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session."

"Successful exploitation results in unauthorised MSN or Hotmail account access," it added.

Microsoft was unavailable to comment on the attack at the time of publication.