Hotmail in hot water over password flaw, rushes fix

April 28, 2012 by Nancy Owano report

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords was something like a bad-dream scenario, trying to open your front door only to find your key does not work and thieves are inside. This could have turned into a big-time nightmare if Microsoft, after being notified of the weakness, had not rushed out a patch for its troubled password reset system. The Redmond company reportedly closed the loophole, so that hackers trying to manipulate data would now get an error message.

The fix was issued after information about the bug was actively publicized online. According to security watching reports, information about the bug and how to pull the password caper off spread “like wildfire” and some mischief-makers were offering to hack accounts for twenty dollars a shot. They realized it was possible to manipulate data passed between a user and Hotmail servers in such a way that could give them control over an account,

The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with the attacker’s own values, according to a notice dated April 26 by Vulnerability Lab senior researcher Benjamin Kunz Mejri.

The bug basically involved the way Hotmail handled (or didn’t) the information that must be processed when a user wants to reset the Hotmail password.

Peter Bright, writing in ars technica, explained that Hotmail's password reset system uses a token system to ensure that only the account holder can reset the password. The weakness was in the validation of the tokens, a weakness allowing attackers to reset of any account.

Vulnerability Lab researcher Mejri explained, “The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Live Hotmail module.”

user stats are not uniform; the numbers set forth of Hotmail users vary, somewhere between an estimated 350 million and 360 million. Sophos and other security sites say it is not known how many of these users experienced incidents over their Hotmail accounts. Those who may have fallen victim would have known if they found they were locked out of their Hotmail accounts. would know that particular game was over in their getting an error message upon trying to sabotage the data exchange. , addressing the incident, confirmed the fix and said “there is no action for customers, as they are protected.”

Explore further: Sony PlayStation Network hacked again by resetting user passwords

Related Stories

Some Hotmail users report missing e-mails

January 2, 2011

(AP) -- Some users of Microsoft Hotmail are starting off the new year scrambling to get back e-mails of old. A chorus of frantic users has posted complaints on Microsoft's online forum that all of their messages have disappeared.

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...


Adjust slider to filter visible comments by rank

Display comments: newest first

3.8 / 5 (4) Apr 28, 2012
Ouch! I use hotmail. Have for a very long time. I'm not even sure where I would report a problem.
1 / 5 (11) Apr 28, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!
2.8 / 5 (10) Apr 28, 2012
Microsoft proves itself unreliable yet again.
3 / 5 (9) Apr 28, 2012
Wow how do you figure. You realize people can sniff the stuff right off your iPhone pretty dang easily right...?
What happened to Microsoft really isn't much different than your ex stealing your password and spying on you, or changing it and sending emails to your "other ex".....

Sorry but when it comes to free email systems, gmail and yahoo were already exposed much was the last, and the quickest to fix it.
4.3 / 5 (3) Apr 28, 2012
Gmail 2-step verification. Never worry about someone stealing your password again.
1 / 5 (1) Apr 29, 2012
Report to yourself. Say to yourself - TheQuietMan is an idiot and slap yourself about the head. Do you drive a Pious because it works for you or a pushbike because transport only needs to get you from A to B? Hotmail .. how quaint!

Yeah, as opposed to using something because it is the latest and greatest, and all your friends are doing it.

I've used it since the mid 90's, if a friend wants to contact me I still can be found.

What a troll, and an idiot. Stupid too.

Gee, names are easy! Thinking is hard.

Ought to try it sometime, if you are able.
1.7 / 5 (6) Apr 29, 2012
Lazy learners try my patience. Hotmail is a big cloud to play in for techno-retards. Next you should expect to get ripped off through a Nigerian lottery scam, given your 1990's gullibility.

not rated yet Apr 30, 2012
Yeah, and you didn't address the key question, which is I've had it for a while, you moron. There weren't too many others out there, but then I suspect you weren't even in diapers. I really need to meet your expectations? I think not.

Instead of starting an insulting match you could do something useful with your life, troll.

Oh wait, this is your life, isn't it. Pathetic, aren't you.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.