Microsoft squashes Hotmail hijack bug

Powered by SC Magazine
 

Accounts cracked in 60 seconds.

Microsoft has crushed a vulnerability in Hotmail that allowed attackers to hijack accounts using a Firefox extension.

The bug was actively exploited on cybercrime forums last month by users who boasted the ability to crack any Hotmail account in less than a minute.

Some charged around $20 for the service, security researcher Naveen Thakur said.

The attack was simplified through the Tamper Data Firefox extension, which helped hijackers exploit a weakness in the way Hotmail issued password resets. The exploit allowed attackers to bypass the recovery feature and issue a password of their choosing.

Researchers at Vulnerability Lab said the token system designed to secure the reset procedure "only checks if a value is empty then blocks or closes the web session".

"Successful exploitation results in unauthorised MSN or Hotmail account access."

Attackers could use positive values in the token system to bypass the security feature, decode the CAPTCHA anti-spam feature and send automated values to the MSN Live Hotmail module.

Vulnerability Labs discovered the flaw and reported it to Microsoft about ten days later.

Redmond's security team took only a day to fix the flaw.

Copyright © SC Magazine, Australia


Microsoft squashes Hotmail hijack bug
 
 
 
Top Stories
Victoria dumps RandL project, writes off $97m
Troubled rego and licensing system taken off life support.
 
Taking the fight to the disruptors
Seven West Media's new chief digital officer, Clive Dickens, says if a media company as historic as Disney can take on the new media landscape, then so can he.
 
AGL appoints three new technology chiefs
Trio of former CFOs take over tech.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Small business win in a budget with 'fair' savings: Abbott
Apr 17, 2015
Tony Abbott has reaffirmed that the government’s aim is “always to get taxes ...
Xero now includes an inventory function built-in
Mar 26, 2015
Xero has added inventory and other major new features to the latest release of its cloud ...
Apple reveals its new MacBook
Mar 13, 2015
Replacing the MacBook Air as Apple's thinnest laptop, the new MacBook comes packed with features.
Xero has released a new version of its app for the iPad
Mar 6, 2015
iPad-wielding Xero users can now take advantage of a new version of the iOS app for the cloud ...
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  40%
 
No
  60%
TOTAL VOTES: 5

Vote