A serious security flaw in Hotmail email service from Microsoft was discovered earlier this month and quite explored last week. It allowed a person with knowledge of the failure to swap the password of a Hotmail account even without the original password or even to answer the familiar questions of confirmation. He had only one Firefox extension and willingness to violate the security of any account.
The way this vulnerability was exploited was very interesting. By putting a Hotmail email address on the login page and click "Forgot Password", you get some options to regain access to your account. If he chooses the option "Send me an email link reset" the page in question was an HTTP request with what would be the alternate email account in question, so that the link was sent to this address. This HTTP request, however, could be changed with the Tamper Data (a Firefox extension just in order to modify data in an HTTP) to send the password reset link to another email.
Thus a person could send the link to your own email, reset the password of a bill and gain access to it very simply. And if it were linked to other social networking accounts like Facebook and Twitter, these accounts also had just committed. As the site points Whitec0de.com, the vulnerability has been patched by Microsoft, but just search for "ثغرة الهوتميل 2012" on YouTube to see many other videos of it being exploited.
The discovery of the vulnerability was made by a hacker Arabic and I guess due to the difference of languages contributed to prevent it from spreading too much. But another hacker just publishing this vulnerability in a forum known (and charging $ 20 to steal accounts) and it ended up being widely exploited. The Microsoft Answers site contains a number of people who were attacked and had their accounts changed to Arabic.
We got in touch with an official position of Microsoft asking the company about the vulnerability, but until the moment of publication of this post there was no response.
The way this vulnerability was exploited was very interesting. By putting a Hotmail email address on the login page and click "Forgot Password", you get some options to regain access to your account. If he chooses the option "Send me an email link reset" the page in question was an HTTP request with what would be the alternate email account in question, so that the link was sent to this address. This HTTP request, however, could be changed with the Tamper Data (a Firefox extension just in order to modify data in an HTTP) to send the password reset link to another email.
Thus a person could send the link to your own email, reset the password of a bill and gain access to it very simply. And if it were linked to other social networking accounts like Facebook and Twitter, these accounts also had just committed. As the site points Whitec0de.com, the vulnerability has been patched by Microsoft, but just search for "ثغرة الهوتميل 2012" on YouTube to see many other videos of it being exploited.
The discovery of the vulnerability was made by a hacker Arabic and I guess due to the difference of languages contributed to prevent it from spreading too much. But another hacker just publishing this vulnerability in a forum known (and charging $ 20 to steal accounts) and it ended up being widely exploited. The Microsoft Answers site contains a number of people who were attacked and had their accounts changed to Arabic.
We got in touch with an official position of Microsoft asking the company about the vulnerability, but until the moment of publication of this post there was no response.
