Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive. And what’s even more worrying is that it’s not only my webmail that’s been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Apparently a group of Arabic (Moroccan) attackers were exploiting the zero-day in the wild and intended “to use a 13 million user Hotmail account list to reset passwords.” Thanks to the “fast reaction” from the Microsoft Security Response Center group which issued a patch on April 20, the Arabic hacking group only hacked “some” Hotmail accounts. “This incident had the severity to end in an complete disaster with millions of compromised live/Hotmail accounts,” wrote Vulnerability Lab on HITBSecNews. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module. Successful exploitation results in unauthorized MSN or Hotmail account access. A remote attacker can, for example bypass the token protection with values “+++)-“. The token protection only checks if a value is empty then blocks or closes the web session.
Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. According to Vulnerability Lab senior researcher Benjamin Kunz Mejri:
That MSN Hotmail (Live) patch was a result of security researchers from Vulnerability Laboratory reporting the Hotmail password reset and setup vulnerability to Microsoft on April 6. Now every time a hack is attempted on the reset page a ‘Server Error’ is displayed.” “All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” Many users in the Middle East were hit before Microsoft “offered a temporary fix on 20 th April that brought an end to the mayhem.
$20 could buy any hacked Hotmail account “within a minute” due to a critical password reset and setup flaw in Microsoft Live (Hotmail), and with Microsoft having 350 million unique Hotmail users, you can imagine how busy cybercriminals were exploiting the Hotmail zero-day in the wild.Ī hacker from Saudi Arabia and member of Dev-PoinT forum discovered the exploit which was then leaked to dark-web hacking forums, reported Whitec0de.
0 kommentar(er)
