Microsoft Patches Hotmail after 0-day Remote Password Reset Exploited in the Wild

$20 could buy any hacked Hotmail account “within a minute” due to a critical password reset and setup flaw in Microsoft Live (Hotmail), and with Microsoft having 350 million unique Hotmail users, you can imagine how busy cybercriminals were exploiting the Hotmail zero-day in the wild.

A hacker from Saudi Arabia and member of Dev-PoinT forum discovered the exploit which was then leaked to dark-web hacking forums, reported Whitec0de. “All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” Many users in the Middle East were hit before Microsoft “offered a temporary fix on 20^th April that brought an end to the mayhem. Now every time a hack is attempted on the reset page a ‘Server Error’ is displayed.”

That MSN Hotmail (Live) patch was a result of security researchers from Vulnerability Laboratory reporting the Hotmail password reset and setup vulnerability to Microsoft on April 6. According to Vulnerability Lab senior researcher Benjamin Kunz Mejri:

The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.

“This incident had the severity to end in an complete disaster with millions of compromised live/Hotmail accounts,” wrote Vulnerability Lab on HITBSecNews. Apparently a group of Arabic (Moroccan) attackers were exploiting the zero-day in the wild and intended “to use a 13 million user Hotmail account list to reset passwords.” Thanks to the “fast reaction” from the Microsoft Security Response Center group which issued a patch on April 20, the Arabic hacking group only hacked “some” Hotmail accounts.

Whitec0de suggested there is another Hotmail critical vulnerability which can be found by lurking around on the darknet.

In other Hotmail related news, Microsoft had challenged the editor of PC Pro to return to Hotmail after using Gmail for the last six years. He imported a decade’s worth of contacts from Gmail, Facebook and LinkedIn into Hotmail. Only two weeks into the swap, PC Pro Editor Barry Collins reported a “disastrous conclusion”; his Hotmail account was hacked and “sent an email containing a link to a malicious site” to all of his personal or professional contacts. Collins wrote, “SkyDrive integration and automatic inbox Sweep were genuinely useful, and way ahead of what Google’s webmail offers.” But after being hacked, he reported:

“I simply can’t trust Hotmail anymore. And what’s even more worrying is that it’s not only my webmail that’s been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive.

InfoWorld previously wrote about the “hidden danger of Windows 8 Microsoft accounts.” Microsoft “rebranded many old accounts — Windows Live ID, Hotmail ID, Zune, and Xbox Live IDs — into a shiny new ‘Microsoft Account’.” Although Windows 8 “stacks the deck, trying to convince people to log on with an email address,” and a Microsoft Account is required to “get the most” from apps, InfoWorld asked, what happens if you used your Hotmail or Windows Live email address and your Hotmail gets hijacked?

The PC Pro editor with the hacked Hotmail account said his password was “a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun” which leads us back to the problem of weak passwords and hijacked Hotmail accounts.

*Update* – After reading this article, Microsoft contacted me and would like to make the following ‘official’ statement: “On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected.”

Like this? Here’s more posts:

• Stop Cyber Spying: Stop CISPA the New Enemy of the Internet
• Smile for the drone: Coming to police stations near you soon
• FBI Warns Smart Meter Hacking May Cost Utility Companies $400 Million A Year
• Will we trade freedom for application security?
• Senator Al Franken: Privacy is a Fundamental Right
• Counterterrorism database stores all Americans as potential domestic terrorists
• Is Google co-founder in ‘digital denial’ about walled gardens and web freedom?
• New Gov’t Weapon: Warrantless Cell Phone Surveillance
• CIA wants to spy on you through your appliances
• Court to DOJ: Surfing on Work PC Isn’t Hacking
• US-CERT: Social engineers target utilities with fake Microsoft support calls
• How Hacktivism Led to Discovering Digital Arms Dealers
• No warrant needed, no privacy: Judge rules even deleted tweets can be used in court
• DHS social media monitoring: Watched Facebook, emailed police, arrested photographer
• NSA Domestic Intercept Map? NSA Lies, Spies in Orwellian World of Gov’t Surveillance

Follow me on Twitter @PrivacyFanatic