Want someone else’s Hotmail account?

A few days ago, Whitec0de reported on a newly found vulnerability in Hotmail’s passwords. It enabled a hacker to take complete control of a user’s Hotmail account – not merely accessing the user’s mail, but preventing access for the legitimate account holder. It effectively stole the user’s entire Hotmail email database – and all the confidential and sensitive data it contains. 

The methodology leaked out – it wasn’t difficult. “All hell broke loose,” said Whitec0de, “when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” The going rate was as low as $20 per account.

Whitec0de went on to describe the exploit. “It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data.” All the attacker had to do was select ‘I forgot my password’ and intercept and modify the traffic. All he needed was the legitimate Hotmail address – which is not difficult to obtain. In fact, the Sophos Naked Security blog says, “According to some reports, Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession.”

Microsoft did not wait on its usual patch cycle. It responded with a rapid quick fix resulting in a ‘Server error’ whenever the hack was attempted. But, comments a BBC report, “It is not clear how many Hotmail accounts have been hacked by attackers exploiting the bug. Those who have fallen victim will know because they will find they are locked out of their Hotmail account.”

What’s hot on Infosecurity Magazine?