Microsoft fixes Hotmail password flaw
By Nicole Kobie
Posted on 27 Apr 2012 at 09:53
Microsoft has fixed a Windows Live flaw that allowed hackers to access Hotmail accounts.
First spotted earlier this month, the flaw let attackers abuse the password recovery system to take over accounts by using reset tokens - the link sent out to rest a password when you forget what it is.
According to reports, all the hacker had to do was request a password reset and then intercept and alter the link using a Firefox add-on called Tamper Data.
Microsoft quietly fixed the problem last week. "On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed," Microsoft said via Twitter.
According to a report from NetworkWorld, the hack was initially sold on forums in the Middle East for $20, but quickly spread. Ihe report suggests millions of accounts were targeted, but it's not yet clear how many accounts were compromised.
Researchers at Vulnerability Lab described it as as a "high severity" problem.
"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values," the site said. "Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session."
"Successful exploitation results in unauthorised MSN or Hotmail account access," it added.
Microsoft was unavailable to comment on the attack at the time of publication.
Well at least you have a valid reason why your account was so easily hacked.
By jeffl69 on 27 Apr 2012
So this could account for why Barry's account was hacked when attempting to migrate from Gmail to Hotmail in your recent feature?
By EddyOS_2K9 on 27 Apr 2012
I wonder if this is how Barry ended up sending spam to all of his contacts?
By AlphaGeeK on 27 Apr 2012
I don't think this flaw is related to the problem I had. This flaw allowed the hackers to reset the password, locking people out of their account. I could still access my account after the spam was sent out.
By Barry_Collins on 27 Apr 2012
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software