Microsoft has smacked down a Hotmail bug that allowed hackers to lock users out of their own accounts.
Redmond took one day to slap down a glitch that allowed anyone with a Firefox add-on to remotely reset the password of a Hotmail account. The Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data.
When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose. Vulnerability-lab.com outlined the details:
Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access.
The bug seems to have been around for a while, but has recently been targeted by hackers on a larger scale. Blog whitec0de pointed out that hackers online were advertising to crack Hotmail accounts for as little as $20 (£12).
According to the vulnerability-lab.com report: Microsoft was alerted to the flaw on 20 April, and got a fix out on 21 April, one day later. They went public with the fix yesterday.
Hotmail has 364 million users, according to a comscore report from 2010. ®