Hotmail loophole leaves Facebook accounts vulnerable
By Shona Ghosh
Posted on 9 May 2013 at 11:51
Facebook users who login using Hotmail and other web-based email services might be vulnerable to account hijacks, due to a loophole related to expired addresses.
Microsoft deactivates unused Hotmail accounts after 270 days of inactivity, reassigning the addresses to any new user who requests them after a certain period of time.
Those email addresses can then be used to reset passwords and log into other sites – such as Facebook – potentially allowing attackers to gain control of profiles.
Research from New Jersey-based Rutgers University, noted by New Scientist, found that a would-be attacker could locate expired Hotmail addresses using a simple script. The script sent out test emails to specific addresses – any bouncebacks indicated that an account had been deactivated, leaving the researchers free to request the address.
Once that was granted, they could then type the address into Facebook and ask for a password reminder. Since it appears that Microsoft doesn’t notify third-party services of an account’s expiration, Facebook then requested the attacker to reset the password, giving them easy access to the previous account holder’s profile.
In practice, the method is slow-going since the script still required manual input of specific email addresses. But the researchers noted that the more addresses and accounts they accessed, the easier it became to automate the process. It also became easier since several online mail services, and Windows Live in particular, allows users to import contacts from services.
"We can get the friends list of the account that we enter into and ﬁgure out which of those friends have expired Hotmail accounts in their turn," said the researchers. "Thus, they fall prey to our attack as well."
Microsoft's account deactivation policy
Microsoft has retired Hotmail, shifting users to the new Outlook.com. But since Outlook.com is also web-based and operates the same account deactivation policy, that could still leave users vulnerable to attack.
Gmail appears to be less vulnerable because it doesn’t allow new users to request previously used addresses.
"The problem arises from the fact that the privacy of a user’s online social network account rests on the privacy of one’s email account. Once the user loses the one, they can lose the other as well," said the researchers.
Facebook claimed the vulnerability was Microsoft's responsibility and advised users to ensure their addresses were active and up to date. The firm pointed out that there are other account recovery options available if users are concerned about resetting passwords via email, such as SMS or appointing trusted friends.
"This is not a Facebook security issue – this is a vulnerability that only applies to a small number of people who have not updated their Hotmail email address tied to their Facebook account," said the spokesperson. "Nothing is more important to us than the safety and security of people on Facebook. We encourage people to make sure the e-mail address associated with their Facebook account is up to date and secure. We are constantly building and releasing new security features - from login notifications to one time passwords, and we encourage their use."
Microsoft has not responded to a request for comment.
Is your business a social business? For helpful info and tips visit our hub.
Okay, so how many people actually use a Facebook logon with a Hotmail email address that they no longer use? I can't imagine we're talking about billions of people here. And "Microsoft doesn’t notify third-party services of an account’s expiration" - well of course it doesn't! Seems a bit of a non-issue to me.
By turnma on 9 May 2013
This isn't just about facebook, email addresses are used everywhere, sometimes linked to saved credit card information. For MS to just give away an email address that someone has used for security purposes is shocking.
The notion that this has to affect billions of people before it becomes a problem is silly.
By ChrisH on 9 May 2013
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords