Microsoft Patches Up Security Hole in Hotmail that Allowed Unauthorized Access

Earlier this month, cybercriminals took advantage of a security hole in Hotmail to compromise accounts, steal personal information, and transfer funds--all without the knowledge of the user who owns the account in question.

This was revealed in a report published by Vulnerability-Lab, which provided details and a timeline of the Hotmail password reset vulnerability.

A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based).

-- Vulnerability-Lab

The vulnerability was discovered on April 6th and was patched on April 20th. During that period, the security hole was widely exploited and "spread like wildfire" in underground hacking communities.

Apparently the exploit got leaked to the dark-web hacking forums.  The exploit eventually spread like wild fire across the hacking community. Many users who linked their email account to financial services like Paypal and Liberty Reserve were targeted and the money looted away. While many other lost their Facebook and twitter accounts.

-- Whitec0de.com report 

The exploit was apparently simple to execute, since all it required was a Firefox add-on called Tamper Data.

If you have a Hotmail account, then the first thing you'd want to check is if yous password still works. If it does, then your account is okay. If it's not, either try again or contact Hotmail about your account right away.

Article by Hazel Chua
Gigadgetry: Cool Gadgets, Tech News, Quirky Devices