“This incident had the severity to end in an complete disaster with millions of compromised live/Hotmail accounts,” wrote Vulnerability Lab on HITBSecNews. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module. Successful exploitation results in unauthorized MSN or Hotmail account access. A remote attacker can, for example bypass the token protection with values “+++)-“. The token protection only checks if a value is empty then blocks or closes the web session. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. According to Vulnerability Lab senior researcher Benjamin Kunz Mejri: That MSN Hotmail (Live) patch was a result of security researchers from Vulnerability Laboratory reporting the Hotmail password reset and setup vulnerability to Microsoft on April 6.
Now every time a hack is attempted on the reset page a ‘Server Error’ is displayed.” “All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” Many users in the Middle East were hit before Microsoft “offered a temporary fix on 20 th April that brought an end to the mayhem. $20 could buy any hacked Hotmail account “within a minute” due to a critical password reset and setup flaw in Microsoft Live (Hotmail), and with Microsoft having 350 million unique Hotmail users, you can imagine how busy cybercriminals were exploiting the Hotmail zero-day in the wild.Ī hacker from Saudi Arabia and member of Dev-PoinT forum discovered the exploit which was then leaked to dark-web hacking forums, reported Whitec0de.
0 kommentar(er)
