Report says Hotmail exploit "spread like wild fire," is now fixed

Report says Hotmail exploit "spread like wild fire," is now fixed

Summary: Microsoft plugged a serious security hole in its Hotmail password reset service last week, after one report claims it was widely exploited.

SHARE:

April 26, 3:00PM PDT: Microsoft confims existence of flaw and fix. See update at end of post.

Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days.

A report published today at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix.

The bulletin rated the severity as “Critical,” based on this description:

A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.

The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:

Report-Timeline:

================

2012-04-06:    Researcher Notification & Coordination

2012-04-20:    Vendor Notification by VoIP Conference

2012-04-20:    Vendor Response/Feedback

2012-04-21:    Vendor Fix/Patch

2012-04-26:    Public or Non-Public Disclosure

During at least part of that two-week gap, the vulnerability was widely exploited, one source says.

A report at Whitec0de.com notes that in the two weeks between the discovery of the vulnerability and the deployment of a server-side fix, the exploit escaped into the wild:

The exploit was first discovered by a Hacker from Saudi Arabia who is a member of the popular security forum dev-point.com. Apparently the exploit got leaked to the dark-web hacking forums. All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked “any” email accounts within a minute.

The exploit eventually spread like wild fire across the hacking community. Many users who linked their email account to financial services like Paypal and Liberty Reserve were targeted and the money looted away. While many other lost their Facebook and twitter accounts.

According to that report, the primary attack vector used a Firefox add-on called Tamper Data:

The exploit in itself was a very simple one. It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the “I forgot my Password” and select “Email me a reset link” and start the Tamper Data in firefox and modify the outgoing data. Numerous youtube videos have come up to demonstrate the proof of concept.

I watched one of those videos, which appeared to show a Hotmail account being compromised in real time.

So far no one has disclosed how long the exploit code was in use or how many Hotmail accounts might have been compromised.

Should you worry? Based on these reports, you would know immediately if your account was tampered with, because your password would no longer work. You're most at risk if you've linked Windows Live to other services.

Reached for comment, a Microsoft spokesperson confirmed the existence of the security flaw and the fix, but offered no further details: "On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected."

Topics: Security, Browser, Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Hacked On Behalf Of

    Well, if I can't get rid of the annoying "sent of behalf of" string in the From address (which pushed me to Yahoo Mail instead) maybe Microsoft will change it to "hacked on behalf of" as a courtesy...
    JohnMorgan3
  • They don't call it 'Hot'mail for nothing...

    h t t p : / / i n s t a n t r i m s h o t . c o m / i n d e x . p h p ? s o u n d = r i m s h o t & p l a y = t r u e
    DTS, Your Linux Advocate
    • 'Hoot'mail might be more apropos

      Eons ago I chose this service for my webmail needs, mostly to protect a few pop3 accounts I had. I was pleased with the setup overall. It was rudimentary but functional -- and free. Then before you could practically blink MS got their grubby paws on it in a classic embrace-and-extend maneuver that Rommel or von Manstein would be proud of.

      Before you could blink but again hackers took aim at it. Armed with nothing more than the password 'eh' you could get you thru the front door of any account, even my simple **** character ones! At the time it was cited as being "the most widespread security incident in the history of the Web." *Auwe* as the Hawaiians like to say. :x

      Now by this point they've sprinkled more Ajax into the mix than Mr. Clean could rinse right. Every time they make do with their newest facelift I'm left to cringe. Takes ages to get the hang of each new layout, and right when you do they insist on remaking it all over again. That I should complain, being their beaten down, drip fed wh0re junkie. :(

      [i]Busted, down on Bourbon Street
      Set up, like a bowlin' pin
      Knocked down, it get's to wearin' thin
      They just won't let you be, oh no[/i]
      klumper
    • That page contains TOO many errors and doesn't work properly.

      Please consider using correct code using open standards.
      Mikael_z
  • A few things

    (1) When are the Hotmail Team going to actually get someone in that can design & code a far more secure authentication and login schema?

    (2) ummm .. where's (or when's) the fix? Ed, you've a lot of info' but the most important info' ... the fix process, isn't described. (EDIT: how about describing the fix process in a little more depth?)

    (3) Anyone that links online financial facilities to their free, online email is asking for it. EDIT: Can you name anyone you know that does that?

    EDIT (4): Why is Tamper Data not blacklisted in the FF Addon Repository? I mean, for real?

    Either way, this is just more bad news (after a number of years of bad publicity) for Hotmail.

    Will this be the straw that breaks the camel's back? We'll see, i do, after all, have other email options.
    thx-1138_
    • Will this be the straw that breaks the camel's back?

      Nope. Not even close.

      Hotmail is a camel with an almost impervious back.

      Ive used it for over a decade and couldnt be happier.

      Sorry to burst your bubble.
      Cayble
  • Are you kidding?

    You expect a company to tell you "how" it plugged a security hole? Why would any company worried about security give that type of information out?
    RonCri
    • are you reading the same blog?

      so since you're slow on the uptake:

      [i]" ... A critical vulnerability was found in the password reset functionality of Microsoft???s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values ???+++)-???. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module. "[/i]

      Later in the write-up the key attack avenue (Tamper Data) is even mentioned. So if obviously we have a total lowdown on the vulnerability and attack vectors .. it stands to reason he ought to at least discuss:

      * the basic fix process (not the actual, sensitive mitigation steps taken by the Hotmail Team, as you wrongly assume i was asking about.)

      * A 'What next?' list and mitigation steps for end-users of the service.
      thx-1138_
      • They patched the server...

        on 21.04, what more do you need to know? There is no user installable patch, so details will be thin on the ground anyway.

        But the patch would involve investigating how this happens, changing the code so that it doesn't allow this any more (hopefully, they will also review whether similar exploits would work in this area of code), test the results and release online.

        What more do you want to know?
        wright_is
      • @wright_is .. what more do i need to know?

        Gee, let me see ... the fact that Microsoft's flagship, free hotmail service had a vulnerability for over two weeks.

        So what reaction would you like from a concerned public? Would you prefer folk acted like a group of sycophantic Mac users and claim nothing's wrong? .. that there's nothing to see here .. so move along??

        No, on second thoughts, let's do the shockingly unthinkable ... let's ask for a bit of transparency.

        Seriously though, how about an advisory from MS to advise users on how this affects them and an official advisory about mitigating possible further exploits along the same lines (i.e. guarding the end-user from others and themselves), the level of severity and an insight into how the Hotmail Team are working on improving - and safeguarding the service (as a whole) from here on out.

        Are you happy with me asking for that much? Or should i be like you and pretend nothing's happened?
        thx-1138_
      • @thx-1138

        Nobody is "acting like a group of sycophantic Mac users." Microsoft knew about the problem, they fixed the problem and they informed the public.

        But there isn't much more they can say about the "fix process". It is a standard process that is pretty much the same for any product.

        Informing the public while there was no fix would have made the problem worse - it would have alerted other "interested" parties into attempting to exploit the problem.

        That said, I agree with your "What next" list. That could be better explained.
        wright_is
      • @thx

        Duh! The attack vector is not web page script based. It is browser specific. In particular, this is Firefox add-on problem since it allows intruders to modify HTTP data.

        Who do you blame - Firefox or Microsoft?

        Next - why does Microsoft have to explain what will not affect a client user? The problem already occurred, was fixed and then a release explained.

        But I would agree that this is a serious Hotmail issue since apparently client accounts are linked to Paypal accounts where money was taken out.
        calahan
      • @calahan

        What on earth did Firefox do wrong?
        yoonsikp
      • You just have to find something to carp about?????

        MS at least admitted to the problem.

        Unlike some other big bucks company we all know.

        And when I say you just have to complain, I mean now that you cant say Ed only reports great things about MS, you have to find some reason to carp about MS itself.

        So sad.
        Cayble
  • That could explain...

    http://www.pcpro.co.uk/blogs/2012/04/25/moving-from-gmail-to-hotmail-the-disastrous-conclusion/

    One journalist at PC Pro was doing a story about moving to Hotmail from Google Mail and he was very positive, until at the last minute his account was "hacked".

    It is still uncertain how he got hacked, although the "simple" password might also have been a factor...

    Touching wood, I have to say, I've never experienced any security problems with Hotmail in over 15 years of use.
    wright_is
    • @wright_is .. neither have i

      had the misfortune of having my email account hacked (crossing fingers) .. but that doesn't mean i (or any other Hotmail user) doesn't have the right to be alarmed or even a tad panicky about this breach.

      What it looks like you're advocating is no less than [i]plausible deniability[/i]. You wouldn't be a secret service operative by any chance, would you?

      [i]" ... Touching wood, I have to say, I've never experienced any security problems with Hotmail in over 15 years of use. "[/i]

      Good on you, you smug pratt. While you're basking in your narcissistic glow, spare a thought for those Hotmail users that were pwned via the FF/Tamper Data exploit.

      Your score today: -100
      thx-1138_
      • Here is another that has never been hacked in 13 years!!!

        nc
        eargasm
      • Your a clown.

        Nuff said.
        Cayble
    • No this issue could not explain...

      No this issue could not explain the reporter story about getting hacked.
      This reporter claims include logging in hotmail even after the hack.
      So his password was not changed.
      Therefore it was not this hack which included resetting the password.
      IE11
      • Yep

        I realised that after posting.

        He also states in a related story on PC Pro, that he does not believe that is the cause of the problems. It will be interesting to see what Microsoft say in this case.
        wright_is