UPDATE: Microsoft has issued a permanent fix for a previously undisclosed bug in its MSN Hotmail Web
email service that could have allowed remote attackers to reset account
passwords.
The flaw in the password reset functionality allowed a
remote attacker to reset the Hotmail/MSN password with their own values,
according to a notice published by Vulnerability Laboratory senior
researcher Benjamin Kunz Mejri. It affected Microsoft’s official MSN
Hotmail (Live) service. Remote attackers could use the security hole to
bypass the password recovery service to setup a new password, according to the notice.
Hotmail
is the world’s largest web-based email service provider, touting some
364 million users. The flaw would also allow an attacker to bypass MSN
Hotmail's token-based login protection. According to the Vulnerability
Laboratory report, the token protection only checks if input values are
empty before blocking or closing the web session. Mejri managed to
bypass that feature by entering a string of characters, in this case,
‘+++)-.’
“On Friday, we addressed an incident with password
reset functionality; there is no action for customers, as they are
protected,” a Microsoft spokesperson told Threatpost via email.
According to a report published on WhiteC0de,
the exploit was initially discovered by a Saudi Arabian hacker working
for Dev-point.com and was, leaked to hacker forums, where it spread
quickly. Despite the quick action to fix the flaw, Whitec0de claims it
has been widely used to compromise Hotmail accounts. In turn,
unauthorized access to those email accounts was leveraged to gain access
to social media, financial, and other accounts linked to those
addresses.
No comments:
Post a Comment