Jump to content


Photo

Microsoft squashes Hotmail password hijack bug


  • Please log in to reply
No replies to this topic

#1 Terryala

Terryala

    Board Grand Dad

  • General Admin
  • 17,909 posts

Posted 27 April 2012 - 04:58 PM

Microsoft squashes Hotmail password hijack bug.


QUOTE
Hackers offer to crack accounts for ?12


By Anna Leach

Posted in Security, 27th April 2012 12:31 GMT

Microsoft has smacked down a Hotmail bug that allowed hackers to lock users out of their own accounts.

Redmond took one day to slap down a glitch that allowed anyone with a Firefox add-on to remotely reset the password of a Hotmail account. The Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data.


When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose. Vulnerability-lab.com outlined the details:

Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values ?+++)-?. Successful exploitation results in unauthorized MSN or Hotmail account access.

The bug seems to have been around for a while, but has recently been targeted by hackers on a larger scale. Blog whitec0de pointed out that hackers online were advertising to crack Hotmail accounts for as little as $20 (?12).

According to the vulnerability-lab.com report: Microsoft was alerted to the flaw on 20 April, and got a fix out on 21 April, one day later. They went public with the fix yesterday.


http://www.theregist...l_bug_squashed/










0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users