Wednesday, 2 May 2012

Want someone else’s Hotmail account

A software bug can often lead to a vulnerability that can be exploited with sophisticated exploit code. Or sometimes you can just instal a free add-on that lets you do the same thing with no effort.

A few days ago, Whitec0de reported on a newly found vulnerability in Hotmail’s passwords. It enabled a hacker to take complete control of a user’s Hotmail account – not merely accessing the user’s mail, but preventing access for the legitimate account holder. It effectively stole the user’s entire Hotmail email database – and all the confidential and sensitive data it contains.

The methodology leaked out – it wasn’t difficult. “All hell broke loose,” said Whitec0de, “when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” The going rate was as low as $20 per account.

Yet again a great example why we need more than static passwords. When are we going to learn?????


AL said...

For "completeness" it may be worth adding a note / link to the update from Microsoft indicating they fixed the password reset vulnerability :!/msftsecresponse/status/195568235654021121

"On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed"

Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan