Share

Related Links

Top 5 Stories

News

Want someone else’s Hotmail account?

27 April 2012

A software bug can often lead to a vulnerability that can be exploited with sophisticated exploit code. Or sometimes you can just instal a free add-on that lets you do the same thing with no effort.

A few days ago, Whitec0de reported on a newly found vulnerability in Hotmail’s passwords. It enabled a hacker to take complete control of a user’s Hotmail account – not merely accessing the user’s mail, but preventing access for the legitimate account holder. It effectively stole the user’s entire Hotmail email database – and all the confidential and sensitive data it contains. 

The methodology leaked out – it wasn’t difficult. “All hell broke loose,” said Whitec0de, “when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” The going rate was as low as $20 per account.

Whitec0de went on to describe the exploit. “It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data.” All the attacker had to do was select ‘I forgot my password’ and intercept and modify the traffic. All he needed was the legitimate Hotmail address – which is not difficult to obtain. In fact, the Sophos Naked Security blog says, “According to some reports, Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession.”

Microsoft did not wait on its usual patch cycle. It responded with a rapid quick fix resulting in a ‘Server error’ whenever the hack was attempted. But, comments a BBC report, “It is not clear how many Hotmail accounts have been hacked by attackers exploiting the bug. Those who have fallen victim will know because they will find they are locked out of their Hotmail account.”

This article is featured in:
Identity and Access Management  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×