Microsoft fixes critical Hotmail password flaw

Microsoft has fixed a critical security flaw in its Hotmail login process that made it possible for hackers to take over accounts on the webmail service.

The Microsoft security team said in a tweet on Friday that it had "addressed a reset function incident to help protect Hotmail customers", and that no further action was needed on the customer's part.

The exploit, identified by Vulnerability Lab researchers, targeted the Hotmail password reset facility with a Firefox add-on called Tamper Data.

"The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based) … Successful exploitation results in unauthorised MSN or Hotmail account access," the researchers wrote on Thursday.

Although public disclosure only came on Thursday, reports had already been circulating of the flaw's exploitation.

The WhiteC0de blog noted a week ago that the exploit had "spread like wildfire across the hacking community", with victims losing money and, in some cases, valuable usernames.

The Whitec0de report also noted rumours of a separate "critical vulnerability" in Hotmail that is also being exploited by hackers, but stressed that there was no evidence yet of these rumours' veracity.