Vulnerability allowed hackers to reset account passwords and lock the owner out using a Firefox add-on
Microsoft has issued a fix for a “high severity” password reset vulnerability that was found in its Hotmail service.
The exploit allowed an attacker to hijack email accounts by using a Firefox add-on called Tamper Data, which intercepts outgoing HTTP requests and allows them to modify the data, thereby enabling them to reset the password.
A hacker from Saudi Arabia was the first to discover the vulnerability, Whitecode reports, but it soon leaked to an underground forum where one member of the community allegedly offered his services to hack any email account for $20 (£12). As more people grew aware of the vulnerability, videos showing how to hack into accounts began popping up on YouTube.
It is thought that an as-yet unspecified number of accounts had been compromised, possibly by hackers based in Morocco.
Microsoft’s Hotmail team first picked up on the issue after it was referred to them by Benjamin Kunz Mejri, CEO and founder of Vulnerability Lab. A temporary fix was issued on 20 April before a patch resolved the problem.
“Remote attackers now get redirected to an exception page when they try to manipulate the session to reset passwords,” Mejri told Softpedia. “The vulnerability has been located, we notified them and the public attacks have been prevented by MSRC. We informed Microsoft regarding the vulnerability with detailed information.”
How well do you know Internet security? Try our quiz and find out!