Anyone could reset Hotmail passwords, but it’s been fixed by Microsoft.
Microsoft has been quick to act on a Hotmail password reset flaw where anyone could perform the request
Announcing on Twitter the fix was complete, Microsoft said no user action was needed. The reset allowed anyone to set passwords in Hotmail, and provided the fix without hours after being notified. One reports said the exploit spread rapidly across the community.
Unfortunately some damage had been done (though obviously not enough for users to perform actions), which was apparently being abused throughout the community.
Hotmail uses what’s called a token system, which means only the account holder can reset the password. The token is the URL sent when perform a password reset request, which then take users to a page where a new password is entered.
Hackers were asking for password resets in exchange for $20 – though someone must be pretty desperate for a password reset, and want something of importance -, but the exploit became widespread on the Web and on Youtube. The technique was being used in the Arabic-speaking world. Some videos showing the exploit date back to April 6.
No number of total exploited accounts
It was seemingly between the 14 days – April 6-20 – that most of the damage was done, before it the exploit was reported to Microsoft by Vulnerability Labs. At the time, they rated the exploit as crtiical. The flaw was, apparently, discovered by a Saudi hacker at dev-point.com. Going to the site shows plenty of discussion on the exploit, so it seems people were acutely aware of the exploit and intended to maximise the damage done. No doubt personal details were stolen, or contact information was gathered.
A quick way to check if the account has been hacked is to enter your password, which won’t work if it’s been changed. The first step to regain access into any account is to reset all of the recovery information so the hacker can’t regain access.
Hackers apparently used a Firefox add-on to intercept HTTP requests and modify data to bypass the token system. While Microsoft has said no action is needed, the company has not revealed how many of the 300 million Hotmail users were affected.