First spotted earlier this month, the flaw let attackers abuse the password recovery system to take over accounts by using reset tokens – the link sent out to rest a password when you forget what it is.
According to reports, all the hacker had to do was request a password reset and then intercept and alter the link using a Firefox add-on called Tamper Data.
Here’s how the researcher recreated the attack technique to identify the vulnerability, as described by him.
Exploitation Techique(s):
- Bypass the Recovery Mod Page to New Pass or Reset;
- Bypass token protection via not empty value or positive value(s);
- Setup new password;
- Decode CAPTCHA and send automatic values.
Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet.
Microsoft quietly fixed the problem last week. “On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed,” Microsoft said via Twitter.
Microsoft has fixed a flaw in Hotmail's password reset system
