April 26, 3:00PM PDT: Microsoft confims existence of flaw and fix. See update at end of post.
Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days.
A report published today at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix.
The bulletin rated the severity as “Critical,” based on this description:
A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.
The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:
2012-04-06: Researcher Notification & Coordination
2012-04-20: Vendor Notification by VoIP Conference
2012-04-20: Vendor Response/Feedback
2012-04-21: Vendor Fix/Patch
2012-04-26: Public or Non-Public Disclosure
During at least part of that two-week gap, the vulnerability was widely exploited, one source says.
A report at Whitec0de.com notes that in the two weeks between the discovery of the vulnerability and the deployment of a server-side fix, the exploit escaped into the wild:
The exploit was first discovered by a Hacker from Saudi Arabia who is a member of the popular security forum dev-point.com. Apparently the exploit got leaked to the dark-web hacking forums. All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked “any” email accounts within a minute.
The exploit eventually spread like wild fire across the hacking community. Many users who linked their email account to financial services like Paypal and Liberty Reserve were targeted and the money looted away. While many other lost their Facebook and twitter accounts.
According to that report, the primary attack vector used a Firefox add-on called Tamper Data:
The exploit in itself was a very simple one. It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the “I forgot my Password” and select “Email me a reset link” and start the Tamper Data in firefox and modify the outgoing data. Numerous youtube videos have come up to demonstrate the proof of concept.
I watched one of those videos, which appeared to show a Hotmail account being compromised in real time.
So far no one has disclosed how long the exploit code was in use or how many Hotmail accounts might have been compromised.
Should you worry? Based on these reports, you would know immediately if your account was tampered with, because your password would no longer work. You're most at risk if you've linked Windows Live to other services.
Reached for comment, a Microsoft spokesperson confirmed the existence of the security flaw and the fix, but offered no further details: "On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected."