Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Patches Major Hotmail 0-day Flaw After Widespread Exploitation

Posted by Soulskill on from the barn-doors-and-horses dept.

suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."

11 of 88 comments (clear)

  1. Ouch by symbolset · · Score: 5, Funny

    It's a good thing they've gotten so committed to security, hired so many competent folks. Otherwise stuff like this might happen over and over. I'm glad this one security vulnerability in Hotmail is now completely repaired. I'll sleep better at night.

    --
    Help stamp out iliturcy.
    1. Re:Ouch by Sarten-X · · Score: 5, Funny

      I sleep well enough at night myself... I don't use Hotmail.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Ouch by bhcompy · · Score: 4, Funny

      I use Windows Live mail, so I'm completely safe.

    3. Re:Ouch by Richard_at_work · · Score: 4, Insightful

      Im guessing that, with that attitude, you are posting that comment using nothing but some wires, a battery and a fucking good knowledge of the tcp/ip protocol?

      Every system ever built has the potential for issues, and the vast vast majority of systems have actually had issues - whatever you are using right now is not an exception.

    4. Re:Ouch by Anonymous Coward · · Score: 5, Funny

      Yeah I prefer hot females instead.

  2. PcPro by gbjbaanb · · Score: 4, Insightful

    and to think of all the people who claimed that there was nothing wrong with Hotmail security and the PCPro chap who switched to Hotmail over Google must have had his password hacked by an alternative site.....

    oh well, I'm sure this is just a coincidence, right.

    1. Re:PcPro by __aaqvdr516 · · Score: 4, Insightful

      Well, since the PCpro guy logged right back in to his email, however it was compromised it wasn't with the password reset token.

      If it had been the password reset token, they wouldn't know his original password, they'd have changed it to something that only the hacker would know and he wouldn't have been able to log back in like he did.

      So yes, it was a coincidence and/or another unknown hack.

  3. Hotmail Challenge by Rik+Sweeney · · Score: 5, Informative

    Looks like PC Pro's Barry Collins weak password wasn't ultimately a problem.

    --
    Summation 2
    1. Re:Hotmail Challenge by Anonymous Coward · · Score: 4, Informative

      Check out comment 143 from Barry's original PCPro article

      Barry Collins Says:
      April 27th, 2012 at 11:10 am
      I consider myself suitably and rightfully admonished, Mr Winder. However, I don’t think I did fall victim to the zero-day exploit, as that would have required the hackers to reset the password. I was still able to access my account after it was hacked.

      Barry Collins

      Barry believes this was not the cause to his account being breached. Sounds like the fault may still be on his password choice.

  4. Re:Critical Infrastructure by Sarten-X · · Score: 5, Insightful

    I think your tinfoil hat's on a bit too tight.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  5. Hacking Community by Vegemeister · · Score: 4, Funny

    spreading 'like wild fire' in the hacking community

    For definitions of 'hacking community' sufficiently close to 4chan, I presume?