Hotmail in hot water over password flaw, rushes fix

Apr 28, 2012 by Nancy Owano report

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords was something like a bad-dream scenario, trying to open your front door only to find your key does not work and thieves are inside. This could have turned into a big-time nightmare if Microsoft, after being notified of the weakness, had not rushed out a patch for its troubled password reset system. The Redmond company reportedly closed the loophole, so that hackers trying to manipulate data would now get an error message.

The fix was issued after information about the bug was actively publicized online. According to security watching reports, information about the bug and how to pull the password caper off spread “like wildfire” and some mischief-makers were offering to hack accounts for twenty dollars a shot. They realized it was possible to manipulate data passed between a user and Hotmail servers in such a way that could give them control over an account,

The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with the attacker’s own values, according to a notice dated April 26 by Vulnerability Lab senior researcher Benjamin Kunz Mejri.

The bug basically involved the way Hotmail handled (or didn’t) the information that must be processed when a user wants to reset the Hotmail password.

Peter Bright, writing in ars technica, explained that Hotmail's password reset system uses a token system to ensure that only the account holder can reset the password. The weakness was in the validation of the tokens, a weakness allowing attackers to reset of any account.

Vulnerability Lab researcher Mejri explained, “The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Live Hotmail module.”

user stats are not uniform; the numbers set forth of Hotmail users vary, somewhere between an estimated 350 million and 360 million. Sophos and other security sites say it is not known how many of these users experienced incidents over their Hotmail accounts. Those who may have fallen victim would have known if they found they were locked out of their Hotmail accounts. would know that particular game was over in their getting an error message upon trying to sabotage the data exchange. , addressing the incident, confirmed the fix and said “there is no action for customers, as they are protected.”

Explore further: US warns shops to watch for customer data hacking

Related Stories

Some Hotmail users report missing e-mails

Jan 02, 2011

(AP) -- Some users of Microsoft Hotmail are starting off the new year scrambling to get back e-mails of old. A chorus of frantic users has posted complaints on Microsoft's online forum that all of their messages have disappeared.

Recommended for you

US warns shops to watch for customer data hacking

6 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

20 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

3.8 / 5 (4) Apr 28, 2012
Ouch! I use hotmail. Have for a very long time. I'm not even sure where I would report a problem.
1 / 5 (10) Apr 28, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!
2.8 / 5 (10) Apr 28, 2012
Microsoft proves itself unreliable yet again.
3 / 5 (9) Apr 28, 2012
Wow how do you figure. You realize people can sniff the stuff right off your iPhone pretty dang easily right...?
What happened to Microsoft really isn't much different than your ex stealing your password and spying on you, or changing it and sending emails to your "other ex".....

Sorry but when it comes to free email systems, gmail and yahoo were already exposed much was the last, and the quickest to fix it.
4.3 / 5 (3) Apr 28, 2012
Gmail 2-step verification. Never worry about someone stealing your password again.
1 / 5 (1) Apr 29, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!

Yeah, as opposed to using something because it is the latest and greatest, and all your friends are doing it.

I've used it since the mid 90's, if a friend wants to contact me I still can be found.

What a troll, and an idiot. Stupid too.

Gee, names are easy! Thinking is hard.

Ought to try it sometime, if you are able.
1.8 / 5 (5) Apr 29, 2012
Lazy learners try my patience. Hotmail is a big cloud to play in for techno-retards. Next you should expect to get ripped off through a Nigerian lottery scam, given your 1990's gullibility.

not rated yet Apr 30, 2012
Yeah, and you didn't address the key question, which is I've had it for a while, you moron. There weren't too many others out there, but then I suspect you weren't even in diapers. I really need to meet your expectations? I think not.

Instead of starting an insulting match you could do something useful with your life, troll.

Oh wait, this is your life, isn't it. Pathetic, aren't you.