Hotmail in hot water over password flaw, rushes fix

Apr 28, 2012 by Nancy Owano report

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords was something like a bad-dream scenario, trying to open your front door only to find your key does not work and thieves are inside. This could have turned into a big-time nightmare if Microsoft, after being notified of the weakness, had not rushed out a patch for its troubled password reset system. The Redmond company reportedly closed the loophole, so that hackers trying to manipulate data would now get an error message.

The fix was issued after information about the bug was actively publicized online. According to security watching reports, information about the bug and how to pull the password caper off spread “like wildfire” and some mischief-makers were offering to hack accounts for twenty dollars a shot. They realized it was possible to manipulate data passed between a user and Hotmail servers in such a way that could give them control over an account,

The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with the attacker’s own values, according to a notice dated April 26 by Vulnerability Lab senior researcher Benjamin Kunz Mejri.

The bug basically involved the way Hotmail handled (or didn’t) the information that must be processed when a user wants to reset the Hotmail password.

Peter Bright, writing in ars technica, explained that Hotmail's password reset system uses a token system to ensure that only the account holder can reset the password. The weakness was in the validation of the tokens, a weakness allowing attackers to reset of any account.

Vulnerability Lab researcher Mejri explained, “The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Live Hotmail module.”

user stats are not uniform; the numbers set forth of Hotmail users vary, somewhere between an estimated 350 million and 360 million. Sophos and other security sites say it is not known how many of these users experienced incidents over their Hotmail accounts. Those who may have fallen victim would have known if they found they were locked out of their Hotmail accounts. would know that particular game was over in their getting an error message upon trying to sabotage the data exchange. , addressing the incident, confirmed the fix and said “there is no action for customers, as they are protected.”

Explore further: LinkedIn membership hits 300 million

Related Stories

Some Hotmail users report missing e-mails

Jan 02, 2011

(AP) -- Some users of Microsoft Hotmail are starting off the new year scrambling to get back e-mails of old. A chorus of frantic users has posted complaints on Microsoft's online forum that all of their messages have disappeared.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to, mobile apps and social media sites. It also clarifies that ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

3.8 / 5 (4) Apr 28, 2012
Ouch! I use hotmail. Have for a very long time. I'm not even sure where I would report a problem.
1 / 5 (10) Apr 28, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!
2.8 / 5 (10) Apr 28, 2012
Microsoft proves itself unreliable yet again.
3 / 5 (9) Apr 28, 2012
Wow how do you figure. You realize people can sniff the stuff right off your iPhone pretty dang easily right...?
What happened to Microsoft really isn't much different than your ex stealing your password and spying on you, or changing it and sending emails to your "other ex".....

Sorry but when it comes to free email systems, gmail and yahoo were already exposed much was the last, and the quickest to fix it.
4.3 / 5 (3) Apr 28, 2012
Gmail 2-step verification. Never worry about someone stealing your password again.
1 / 5 (1) Apr 29, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!

Yeah, as opposed to using something because it is the latest and greatest, and all your friends are doing it.

I've used it since the mid 90's, if a friend wants to contact me I still can be found.

What a troll, and an idiot. Stupid too.

Gee, names are easy! Thinking is hard.

Ought to try it sometime, if you are able.
1.8 / 5 (5) Apr 29, 2012
Lazy learners try my patience. Hotmail is a big cloud to play in for techno-retards. Next you should expect to get ripped off through a Nigerian lottery scam, given your 1990's gullibility.

not rated yet Apr 30, 2012
Yeah, and you didn't address the key question, which is I've had it for a while, you moron. There weren't too many others out there, but then I suspect you weren't even in diapers. I really need to meet your expectations? I think not.

Instead of starting an insulting match you could do something useful with your life, troll.

Oh wait, this is your life, isn't it. Pathetic, aren't you.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

( —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...