Was your Hotmail account hacked in April? If so, it might have been on a bet. The whitec0de.com blog reports
that, for $20, a member of a hacker forum offered to crack any Hotmail
account within a minute – and that he kept his word. A critical security
hole in Microsoft's email service was posted on a security forum
allowing the hacker to change the passwords of Hotmail users.
Numerous users were affected. Some were targeted because they used their accounts to access such services as PayPal. It's alleged that the vulnerability was also used to change ownership of short account names such as ab@hotmail.com and xxx@hotmail.com.
Benjamin Kunz Mejri, a security expert who discovered the hole at around the same time as the incidents described above, has released details about the vulnerability in an advisory. According to the expert, the hole was contained in the "password reset" functionality – during one step, the Hotmail server apparently checked the existence of a token but not its value.
Simply injecting a token such as "+++)-" into requests, the attackers were able to take control of any account. Microsoft was notified by Mejri on April 6th, the problem was fixed on April 21st.
Numerous users were affected. Some were targeted because they used their accounts to access such services as PayPal. It's alleged that the vulnerability was also used to change ownership of short account names such as ab@hotmail.com and xxx@hotmail.com.
Benjamin Kunz Mejri, a security expert who discovered the hole at around the same time as the incidents described above, has released details about the vulnerability in an advisory. According to the expert, the hole was contained in the "password reset" functionality – during one step, the Hotmail server apparently checked the existence of a token but not its value.
Simply injecting a token such as "+++)-" into requests, the attackers were able to take control of any account. Microsoft was notified by Mejri on April 6th, the problem was fixed on April 21st.
No comments:
Post a Comment