Microsoft Patches Major Hotmail 0-day Flaw After Widespread Exploitation

suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."

Ouch

[symbolset]

It's a good thing they've gotten so committed to security, hired so many competent folks. Otherwise stuff like this might happen over and over. I'm glad this one security vulnerability in Hotmail is now completely repaired. I'll sleep better at night.

Re:Ouch

[Sarten-X]

I sleep well enough at night myself... I don't use Hotmail.

Re:Ouch

[bhcompy]

I use Windows Live mail, so I'm completely safe.

Re:Ouch

[Richard_at_work]

Im guessing that, with that attitude, you are posting that comment using nothing but some wires, a battery and a fucking good knowledge of the tcp/ip protocol?

Every system ever built has the potential for issues, and the vast vast majority of systems have actually had issues - whatever you are using right now is not an exception.

Re:Ouch

[LordLimecat]

Batteries are vulnerable to buffer overflows, you know.

(For certain definitions of "buffer" and "overflow")

Re:Ouch

[lister+king+of+smeg]

you mean pull an apple

Re:Ouch

[X0563511]

What's that burning smell?

OH GOD PUT IT OUT!

Re:Ouch

[NotBorg]

Every system ever built has the potential for issues

Every system potentially has flaws but some vendors historically have had more exploits over time than others. Just because every system has flaws doesn't mean that the severity of the flaws can't be mitigated. Some vendors are in fact better at it than others.

Stop throwing your hands in the air as if to say that there's nothing anyone can do.

Example and history lesson: Windows 7 is more secure than XP even though all the while XP was popular everyone said there was nothing MS could do. Well, apparently, they did "nothing" and 7 is just coincidently more secure? Or was it just designed better and tested more? Or is 7 just as insecure as XP? See, you can't say that Microsoft improved security without reneging on the "their's nothing they can do" apologetics.

And it's not just Microsoft (They're just handy at the moment). This same bullshit line of apologetics pops up every time there's a wide spread exploit of a popular product. It's akin to saying that since you can't prevent 100% of fatal car accidents, seat belts are pointless.

Re:Ouch

Yeah I prefer hot females instead.

Re:Ouch

[NotBorg]

I don't recall there ever being a large contingent of people claiming "theres nothing they can do".

What's the point in bringing up that all software has flaws if not to imply that there's nothing that can be done? What's the point in saying that MS has the biggest market share (and therefore the most targeted) if not to imply that there's nothing that can be done?

Re:Ouch

[symbolset]

I probably could pull that off sometime before Microsoft manages to make Hotmail secure enough to be useful.

Re:Ouch

[symbolset]

I'm going to leave this one alone from now on. Coming from this viewpoint Richard's probably heard enough about Microsoft's security problems to last a lifetime.

Re:Ouch

[symbolset]

This is your way of saying there is no hope for a thorough Hotmail security audit, even in the light of two rookie flaws making the news in a few days. Because we should just expect Hotmail to be insecure even at this level of unprofessionalism. Thanks for that. I'm really looking forward to the festival of fun that Live integration with W8 will bring.

PcPro

[gbjbaanb]

and to think of all the people who claimed that there was nothing wrong with Hotmail security and the PCPro chap who switched to Hotmail over Google must have had his password hacked by an alternative site.....

oh well, I'm sure this is just a coincidence, right.

Re:PcPro

[binarylarry]

Where's TechOK/TechFL/Bonch/etc when you need him, eh?

Re:PcPro

The PCPro guy's password was not changed, correct? My understanding from the story was that someone somehow got his password; this exploit should allow someone to change it.

Re:PcPro

[adonoman]

This would *require* someone to change it, to work.

Re:PcPro

[__aaqvdr516]

Well, since the PCpro guy logged right back in to his email, however it was compromised it wasn't with the password reset token.

If it had been the password reset token, they wouldn't know his original password, they'd have changed it to something that only the hacker would know and he wouldn't have been able to log back in like he did.

So yes, it was a coincidence and/or another unknown hack.

Re:PcPro

[ArsenneLupin]

So yes, it was a coincidence and/or another unknown hack.

Not necessarily so... The following scenario could have happened:

1. Attacker resets PCpro guy's password using this vulnerability
2. Attacker rifles through PCpro guy's mails...
3. ... and find a confirmation mail from another site, containing the password to that site (yes, some sites unfortunately do this...)
4. On a hunch, and in order to stay discrete, attackers sets hotmail password "back" to the password found in that confirmation mail

Re:PcPro

[tbannist]

Even more likely the PCpro guy reset his password and simply didn't mention that step.

Re:PcPro

[symbolset]

They've banished Windows from their network, so Google doesn't have that problem any more.

Hotmail Challenge

[Rik+Sweeney]

Looks like PC Pro's Barry Collins weak password wasn't ultimately a problem.

Re:Hotmail Challenge

Check out comment 143 from Barry's original PCPro article

Barry Collins Says:
April 27th, 2012 at 11:10 am
I consider myself suitably and rightfully admonished, Mr Winder. However, I don’t think I did fall victim to the zero-day exploit, as that would have required the hackers to reset the password. I was still able to access my account after it was hacked.

Barry Collins

Barry believes this was not the cause to his account being breached. Sounds like the fault may still be on his password choice.

Re:Hotmail Challenge

[SJHillman]

You're one of those people that thinks cars should all be limited to 65mph and ISPs should block all websites they find distasteful, aren't you?

Re:Hotmail Challenge

[Isaac+Remuant]

He is right though. 7 words, all lowercase is to be frowned upon when you're allegedly knowledgeable about technology.

Re:Hotmail Challenge

[fxbar]

I think this once more shows how amateurish software is developed at microsoft**. So I would bet some money that there is a second 0-day flaw that is used which does not require to change the password of the user. I don't believe that this password was brute forced, because even microsoft should (now) be able to prevent brute forcing. Or are they not even able to achieve that? Because his account was new it means that many attempts to brute force would have been done in a short period of time, any reasonable system today prevents that...

**I have a little experience with microsoft because we had to support IE in a project. But how IE handles private keys on smart cards is not secure at all (all sessions stay active even card is removed, which was a absolute no-go in this project). Answer from microsoft after needing weeks (and much communication overhead) to confirm the flaw: it will not be fixed before IE 11.

Re:Hotmail Challenge

7 letters, 7 words would have been a fairly strong password, even if it was all lowercase.

Re:Hotmail Challenge

[isorox]

7 letters, 7 words would have been a fairly strong password, even if it was all lowercase.

Assuming that a hacker knew it was 7 lowercase letters, and they were random, that's 26^7
That's more secure than 5 random characters from the about 72 upper/lower/numeric/symbols

Now I believe his password was actualy xxx, giving about 2000*26*26*26 combinations, only as secure as a 4 random character password, however unless someone had access to hotmail's hashes, it doesn't matter.

Most backs have a password of 4 numbers. That's 10,000 combinations, it's barely more secure than a 2 symbol password! However those banks lock you out after 3 failed attempts, you won't be brute forcing that. I'd hope things like hotmail would do something similar -- maximum of 5 login attempts in 5 minutes for example, and an email to your account whenever you get a wrong password.

Re:Hotmail Challenge

[cc_pirate]

There has to be another zero day hack out there because I know several people who had their Hotmail account hacked last year and in some cases they hadn't even logged in to Hotmail in months when they were hacked. They could have had weak passwords, but still. How do you manage to run thousands of password attempts against an online service like Hotmail without having some other hack (i.e. password Hotmail's hash file or such).

There has to be another zero day hack out there for sure or else M$ has the same problem I think Blizzard has (internal folks selling logins on unused accounts).

Re:Hotmail Challenge

[SJHillman]

I'm from the place where people are responsible for locking their own doors, not relying on a building inspector coming around to make sure all of the locks are working properly.

Re:Hotmail Challenge

[vakuona]

How do you run through 26^7 possible password combinations on an online service?

Unless Microsoft lost the password hash database, it should be impossible to brute force a 7 letter password.

Re:Hotmail Challenge

[Isaac+Remuant]

you're right. I mixed that up.

Re:Hotmail Challenge

[cc_pirate]

Which part of 'hadn't logged in for months' didn't you understand?

Keyloggers are unlikely since none of their other, more lucrative accounts were hacked or invaded.

And since their passwds weren't changed, I dont think it was this 0 day exploit.

M$ security sux.

Critical Infrastructure

[TWX]

Consider this- Hotmail is a very high profile and widely used e-mail system that theoretically is profitable in its advertising for its owner, and has a lot to lose immediately by being thoroughly exploited in the potential for a rapid loss of users to other non-fee email systems like Google and Yahoo, and they still didn't take any action to resolve this until disaster was literally looming

The federal government wants to require actual critical infrastructure to be security vigilant and is getting pushback from industry, again critical infrastructure, not even some silly free-ish service, to try to avoid the expense.

Corporations, by and large, do not share interests with the public. Corporations are there for profit for shareholders and management first and foremost, and due to extreme myopia in those sectors, where the quarterly profit rules supreme, spending money on things like security are not considered necessary because they don't make profit, rather they cost money. Worse, utility companies and other infrastructure companies aren't high profile; most people don't give any thought to their electric supply beyond paying the bill unless it ceases.

Corporations are not looking out for your interest, unless you happen to be one of the very few people who has any real amount of money tied up in them.

Re:Critical Infrastructure

[Sarten-X]

I think your tinfoil hat's on a bit too tight.

Re:Critical Infrastructure

[srussia]

I think your tinfoil hat's on a bit too tight.

Not to mention inside out. I mean, the federal government is the good guy here? WTF?

Re:Critical Infrastructure

[Baloroth]

This is often repeated on Slashdot, and yet, it still isn't true. Corporations are most certainly interested in the interests of the public, insofar as the public ultimately represents their biggest customer. Not all corporation sell directly to the public, of course, and therefore they don't act in the public interest (oil companies, government contractors, etc.) but by and large, it is in Microsoft's and many corporations interest to work in the interest of consumers and the public because they are a large portion of their customer base.

OTOH consumers are, as a group, not particularly smart, so they often act against their own interests. Corporations, for their part, often do as well, since they are even more divided than individual consumers (by being, quite literally, divided). The result is that the public often gets screwed over. Keep in mind, though, that in cases like this, people choose to use Hotmail despite having dozens of free (and IMO better) alternatives. So, while Microsoft does share the interests of the public, they often act like they don't (again, because the public itself doesn't act in their own interest, so MS doesn't either, as far as they can get away with it).

I do have a Hotmail account, since I used them a long, long time ago, and it is still useful for sign-ups to sites I don't really care about, but I would never use them for anything serious.

Re:Critical Infrastructure

[tunapez]

How is an environment that fosters and encourages the bare minimum effort for the maximum return a conspiracy? From what little I know of corporate law, the OP's comment is spot on. My father, his neighbor and a third associate all called me in the last month to help fix the worm-like behavior associated with their hotmail accounts. Of the very small sample of hotmail users I know, at least three of them fell victim to these account exploits. I can only guess how many more there are in the world and none of my contacts have yet received any acknowledgement or assurance from MS besides the automated response email. Perhaps a conspiracy of neglect...how hard is it for an email service provider to send a mass response? Perhaps they could take some pointers from the spammers that exploit their servers daily.

Re:Critical Infrastructure

[Sarten-X]

For one, the tenuous attachment of this post to the topic is the assumption that Microsoft only fixed this when they were facing a profit disaster... except they were only aware of the problem a few hours before the fix was released, per the summary.

The rant against corporations assumes that corporations are those big evil faceless things that are just money-making machines. That's an incredibly simplistic and naive approach. Corporations exist to accomplish whatever goals their directors want, and that's not necessarily just "make money". I've worked with one company whose stated goal (even on a plaque and everything) was "make cool-looking things". Drive down the right highway at the right time, and you'll see an animated Christmas light display, built by the company as a training exercise in the engineering and construction of DMX lighting. Last I knew, the company had one paying client and made no profit, but still met their goal.

Another implication in the post is that companies are rejecting security mandates purely out of concern for profit. From my experience in IT, this is seldom the real issue. More often, the IT managers are balking at the time and effort mandated for no practical gain. As one example, I used to work at a company that dealt with medical data. Before we were required to be HIPAA-compliant, we salted & hashed (SHA512, multiple times for technical reasons) personal identifiers before they were stored. After HIPAA, we were required to use a two-way encryption algorithm, and have the decryption key stored offsite by another company. The end result was less actual security (because the data could be decrypted, and the key did exist somewhere) and a lot of effort by the software developers.

It's been my experience that security mandates and certifications involve a lot of hassle to meet a set of standards that are too strictly-defined to be practical. I'm not surprised to hear corporations are pushing back against government bureaucrats.

Re:Critical Infrastructure

[NotBorg]

In GP's defense, you actually want it some what tight. If it's loose and sagging it can potentially block your view of the real world.

Re:Critical Infrastructure

[aztracker1]

You can get any email validated as a "live" login.. just *most* will chose the hotmail option (as other options are a bit buried).

Re:Critical Infrastructure

[symbolset]

There is a profit motive associated with securing electronic systems for the purveyors of those systems. It is simply not profitable to be seen as having shoddy security. This is a rookie mistake any decent security audit would have caught - and that implies that responsible audits are not being done. It follows straight on the heels of another one involving allowing users to have inadequate passwords. That means it's open season on Hotmail still and there's a heck of a lot of money to be made compromising it. A crash program to audit everything about Hotmail security had better already be underway because I guarantee if it's got faults this obvious it has many dozen far more obscure.

There are some here making excuses for the vendor involved and that's lame. This is a commercial enterprise that wants to be taken seriously in matters relating to confidence, security, the ability to handle money. People use email to handle important personal and business matters, to pass sensitive materials, to manage accounts for things that handle real money. This vendor is responsible for operating systems and applications that manipulate most of the world's commerce, credit, medical records and other serious matters. These failures represent simple and obvious neglect of their responsibility to practice due care. It should take them a long time to recover the respect and confidence they lost from this - and that will require that they get full control of their security situation even if it is inconvenient or expensive to do so.

"Vulnerabilities happen" is a copout. Vulnerabilities on this level of violation of best practice must not happen in an organization that hopes to maintain this level of responsibility.

How to change email account?

[hort_wort]

Alright. I read about the hotmail security breach the other day and now this. I had my own account accessed twice before, but I thought it was just due to a weak password on my part each time. Now I'm thinking it wasn't just me. I want to switch now.

So for people in the know on email accounts, I have two questions:
1) What is the best choice of service for a lazy person? (Gmail? Seems like that one should be a target itself just from popularity.)

2) What sorts of obstacles will I face when switching? I have my current hotmail addy associated with every service I subscribe to, and I don't think I can change it with many of them. Am I supposed to empty out all the messages and contacts in it, then have it transfer all messages immediately to my new account?

Re:How to change email account?

[semi-extrinsic]

When I migrated from university webmail to Gmail last year, I used Thunderbird to transfer the gigabytes of sent/received email I had there. First download from "YourOldMail", then upload to "YourNewMail". Painless experience, and I recommend this approach if "YourNewMail" can't import directly from "YourOldMail".

And yes, Gmail is pretty good. The only gripe I have is that I can't set up mail encryption (GPG for message header/body) in Gmail's webmail interface, but this is mainly interesting if your tinfoil hat is frequently used. On the upside, I'm pleasantly impressed by how well it handles "Event Invitations" sent from people using Outlook, you'll appreciate the possibility of two-factor authentication, and of course searching through mail is magic.

(BTW, most subscription services I've seen allow changing your email, but it's often hidden pretty well. Good hunting.)

Re:How to change email account?

[dejanc]

My Gmail account got hacked into. It was a big hassle. The password wasn't weak, but I might have given it away to somebody by providing it to an "open id" login, or something like that.

I still have that Gmail account but with two step authorization (they send me an SMS with a code whenever I change IPs) but I am moving away from it.

Instead, I purchased a Linode server and deployed email solution there for primary email. It took me maybe a couple of hours to configure, but I am very happy with it, and I also utilize it for other nifty stuff, like my own dynamic dns solution, SVN/GIT repository, backup server, etc.

Re:How to change email account?

[the+eric+conspiracy]

I've been running my own mail server for a decade now. Right now it's on Scientific Linux running on a Atom based machine. I love it because there is no latency for inbound mail, and it isn't dependent on ISP servers for inbound processing.

For outbound I still use my ISP mostly because I don't have a static IP and lots of services reject mail from dynamic IPs.

Re:How to change email account?

[Ingenium13]

You actually can setup GPG in Gmail's web interface, at least in Chrome: http://thinkst.com/tools/cr-gpg/. It seems that FireGPG was unfortunately discontinued for Firefox.

Re:How to change email account?

[aztracker1]

I have my own mail server, on a commercial internet account... I find that I use my gmail account far more than my vanity domain. I have been using SmarterMail for a number of years now, with pretty good settings for spam prevention... just the same, gmail's web interface and integration (with android) has worked out better for me.

Re:How to change email account?

[tmarthal]

Did it get hacked into before or after you added the two step auth?

Also, are you using Google Account Reports? It now tells you exactly where and how you've logged into your Google Accounts; I think the SMS that you get are actually from this, not the two-step auth.

I feel much safer with the application one-time passwords and two-step hardware keycodes than any other service.

Does your Linode Server have two step auth to access email? And can you do that on your phone?

Hacking Community

[Vegemeister]

spreading 'like wild fire' in the hacking community

For definitions of 'hacking community' sufficiently close to 4chan, I presume?

Re:Go alternate ...

[ch-chuck]

Total coincidence, but I saw this ancient B&W episode of Robin Hood yesterday where he did hack a carrier pigeon. The sheriff was going to use pigeons to carry some pearls to his place, but Robin switch birds with Maid Marion's and took them elsewhere!

Dear Microsoft

[fxbar]

Dear Microsoft Support,
I own 100'000 hotmail accounts (now), but I don't consider them save anymore. Can I please return them? Would you mind exchanging them for a GMail account?
Thanks

Re:What's Hotmail?

[SJHillman]

I stopped using Hotmail long before Gmail ever came out, but from what I hear they largely fixed their spam problems so it's on par with Gmail now.

Wide-spread

[no-body]

0-day - MSoft .... giggle

Re:What's Hotmail?

[Cro+Magnon]

I've tried Hotmail recently, and so far so good for spam. Of course it doesn't get near the use of my gmail, but even light use would have gotten me spam-swamped in the "good old days".

Re:What's Hotmail?

[kaatochacha]

I've begun using my hotmail account recently as the "giveaway" address.
It was unusable not too long ago. Now, I really never get any spam in it.

Re:What's Hotmail?

[TheLink]

Alternate theory: even the spammers have given up on Hotmail.

Re:How long has this been going on?

[Kernel+Krumpit]

I have 3 hotmail/livemail accounts, 1 Gmail account and my own Exchange Server with 50 or so email addresses (from 5 Domains). Some interesting facts from my digital life follow. - My hotmail accounts have never been compromised (1 of my hotmail accounts is over 12 years old) - my gmail account has never been compromised - I pick-up email from my 4 cloud accounts above via POP. I leave no emails in the cloud and seldom access my online accounts. - the only email addresses i've ever had compromised were both "unique" and jacked from The US Bank (e.g. us.bank@oneofmydomains.com) and the Bill Paying company my city council uses for their utility payments (e.g. water@oneofmydomains.com) Shocking I know but the "secure" online Bill Payer lied and denied and obfuscated the compromise and the US Bank admitted tit and were "looking into it"!! Needless to say those two compromised emails were changed within 2 minutes.

Re:This is bad.

[Kernel+Krumpit]

Interestingly enough one of my more "senior" clients forgot their original 10 year old MSN password. After a few days "battling it out" with MSN and all the usual verification tests - for the innocents involved - MSN REFUSED to hand over the account with either a new or an old password to the rightful account owner!

Solution to email phishing ..

[dgharmon]

The problem with email security is that once the attacker knows your email address, he can then go onto acquire the password through either phishing or guessing your password reset information. A simple solution that would mitigate against that is to provide the email identity in two parts, a private identity and a public email aliase. People send email to the public email address but only you can login with the private ID. The private ID is never transfered to any third party.

Just Solve It

[ryanisflyboy]

65.52.0.0/14 451 "Due to overwhelming security issues with hotmail, your e-mail provider has been blocked. Please switch e-mail providers, your e-mail is not safe at hotmail."

# grep hotmail.com /var/log/maillog | wc
    20935 419204 4814336

If everyone did this, we wouldn't have an issue any more.