Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches Major Hotmail 0-day Flaw After Widespread Exploitation

Posted by Soulskill on from the barn-doors-and-horses dept.

suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."

22 of 88 comments (clear)

  1. Ouch by symbolset · · Score: 5, Funny

    It's a good thing they've gotten so committed to security, hired so many competent folks. Otherwise stuff like this might happen over and over. I'm glad this one security vulnerability in Hotmail is now completely repaired. I'll sleep better at night.

    --
    Help stamp out iliturcy.
    1. Re:Ouch by Sarten-X · · Score: 5, Funny

      I sleep well enough at night myself... I don't use Hotmail.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Ouch by bhcompy · · Score: 4, Funny

      I use Windows Live mail, so I'm completely safe.

    3. Re:Ouch by Richard_at_work · · Score: 4, Insightful

      Im guessing that, with that attitude, you are posting that comment using nothing but some wires, a battery and a fucking good knowledge of the tcp/ip protocol?

      Every system ever built has the potential for issues, and the vast vast majority of systems have actually had issues - whatever you are using right now is not an exception.

    4. Re:Ouch by lister+king+of+smeg · · Score: 3, Insightful

      you mean pull an apple

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    5. Re:Ouch by X0563511 · · Score: 2

      What's that burning smell?

      OH GOD PUT IT OUT!

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    6. Re:Ouch by Anonymous Coward · · Score: 5, Funny

      Yeah I prefer hot females instead.

  2. PcPro by gbjbaanb · · Score: 4, Insightful

    and to think of all the people who claimed that there was nothing wrong with Hotmail security and the PCPro chap who switched to Hotmail over Google must have had his password hacked by an alternative site.....

    oh well, I'm sure this is just a coincidence, right.

    1. Re:PcPro by binarylarry · · Score: 2, Funny

      Where's TechOK/TechFL/Bonch/etc when you need him, eh?

      --
      Mod me down, my New Earth Global Warmingist friends!
    2. Re:PcPro by __aaqvdr516 · · Score: 4, Insightful

      Well, since the PCpro guy logged right back in to his email, however it was compromised it wasn't with the password reset token.

      If it had been the password reset token, they wouldn't know his original password, they'd have changed it to something that only the hacker would know and he wouldn't have been able to log back in like he did.

      So yes, it was a coincidence and/or another unknown hack.

    3. Re:PcPro by ArsenneLupin · · Score: 2

      So yes, it was a coincidence and/or another unknown hack.

      Not necessarily so... The following scenario could have happened:

      1. Attacker resets PCpro guy's password using this vulnerability
      2. Attacker rifles through PCpro guy's mails...
      3. ... and find a confirmation mail from another site, containing the password to that site (yes, some sites unfortunately do this...)
      4. On a hunch, and in order to stay discrete, attackers sets hotmail password "back" to the password found in that confirmation mail
    4. Re:PcPro by tbannist · · Score: 2

      Even more likely the PCpro guy reset his password and simply didn't mention that step.

      --
      Fanatically anti-fanatical
  3. Hotmail Challenge by Rik+Sweeney · · Score: 5, Informative

    Looks like PC Pro's Barry Collins weak password wasn't ultimately a problem.

    --
    Summation 2
    1. Re:Hotmail Challenge by Anonymous Coward · · Score: 4, Informative

      Check out comment 143 from Barry's original PCPro article

      Barry Collins Says:
      April 27th, 2012 at 11:10 am
      I consider myself suitably and rightfully admonished, Mr Winder. However, I don’t think I did fall victim to the zero-day exploit, as that would have required the hackers to reset the password. I was still able to access my account after it was hacked.

      Barry Collins

      Barry believes this was not the cause to his account being breached. Sounds like the fault may still be on his password choice.

    2. Re:Hotmail Challenge by fxbar · · Score: 2

      I think this once more shows how amateurish software is developed at microsoft**. So I would bet some money that there is a second 0-day flaw that is used which does not require to change the password of the user. I don't believe that this password was brute forced, because even microsoft should (now) be able to prevent brute forcing. Or are they not even able to achieve that? Because his account was new it means that many attempts to brute force would have been done in a short period of time, any reasonable system today prevents that...

      **I have a little experience with microsoft because we had to support IE in a project. But how IE handles private keys on smart cards is not secure at all (all sessions stay active even card is removed, which was a absolute no-go in this project). Answer from microsoft after needing weeks (and much communication overhead) to confirm the flaw: it will not be fixed before IE 11.

    3. Re:Hotmail Challenge by isorox · · Score: 2

      7 letters, 7 words would have been a fairly strong password, even if it was all lowercase.

      Assuming that a hacker knew it was 7 lowercase letters, and they were random, that's 26^7
      That's more secure than 5 random characters from the about 72 upper/lower/numeric/symbols

      Now I believe his password was actualy xxx, giving about 2000*26*26*26 combinations, only as secure as a 4 random character password, however unless someone had access to hotmail's hashes, it doesn't matter.

      Most backs have a password of 4 numbers. That's 10,000 combinations, it's barely more secure than a 2 symbol password! However those banks lock you out after 3 failed attempts, you won't be brute forcing that. I'd hope things like hotmail would do something similar -- maximum of 5 login attempts in 5 minutes for example, and an email to your account whenever you get a wrong password.

  4. Critical Infrastructure by TWX · · Score: 2, Insightful

    Consider this- Hotmail is a very high profile and widely used e-mail system that theoretically is profitable in its advertising for its owner, and has a lot to lose immediately by being thoroughly exploited in the potential for a rapid loss of users to other non-fee email systems like Google and Yahoo, and they still didn't take any action to resolve this until disaster was literally looming

    The federal government wants to require actual critical infrastructure to be security vigilant and is getting pushback from industry, again critical infrastructure, not even some silly free-ish service, to try to avoid the expense.

    Corporations, by and large, do not share interests with the public. Corporations are there for profit for shareholders and management first and foremost, and due to extreme myopia in those sectors, where the quarterly profit rules supreme, spending money on things like security are not considered necessary because they don't make profit, rather they cost money. Worse, utility companies and other infrastructure companies aren't high profile; most people don't give any thought to their electric supply beyond paying the bill unless it ceases.

    Corporations are not looking out for your interest, unless you happen to be one of the very few people who has any real amount of money tied up in them.

    --
    Do not look into laser with remaining eye.
    1. Re:Critical Infrastructure by Sarten-X · · Score: 5, Insightful

      I think your tinfoil hat's on a bit too tight.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Critical Infrastructure by srussia · · Score: 2

      I think your tinfoil hat's on a bit too tight.

      Not to mention inside out. I mean, the federal government is the good guy here? WTF?

      --
      Set your phasers on "funky"!
    3. Re:Critical Infrastructure by Baloroth · · Score: 2

      This is often repeated on Slashdot, and yet, it still isn't true. Corporations are most certainly interested in the interests of the public, insofar as the public ultimately represents their biggest customer. Not all corporation sell directly to the public, of course, and therefore they don't act in the public interest (oil companies, government contractors, etc.) but by and large, it is in Microsoft's and many corporations interest to work in the interest of consumers and the public because they are a large portion of their customer base.

      OTOH consumers are, as a group, not particularly smart, so they often act against their own interests. Corporations, for their part, often do as well, since they are even more divided than individual consumers (by being, quite literally, divided). The result is that the public often gets screwed over. Keep in mind, though, that in cases like this, people choose to use Hotmail despite having dozens of free (and IMO better) alternatives. So, while Microsoft does share the interests of the public, they often act like they don't (again, because the public itself doesn't act in their own interest, so MS doesn't either, as far as they can get away with it).

      I do have a Hotmail account, since I used them a long, long time ago, and it is still useful for sign-ups to sites I don't really care about, but I would never use them for anything serious.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  5. Hacking Community by Vegemeister · · Score: 4, Funny

    spreading 'like wild fire' in the hacking community

    For definitions of 'hacking community' sufficiently close to 4chan, I presume?

  6. Re:How to change email account? by Ingenium13 · · Score: 2

    You actually can setup GPG in Gmail's web interface, at least in Chrome: http://thinkst.com/tools/cr-gpg/. It seems that FireGPG was unfortunately discontinued for Firefox.