Microsoft on Friday released a quick fix inside its Hotmail email platform which allowed hackers to gain easy access to any users Hotmail account via a vulnerability in the programs password reset system.
Using a Firefox add-on called Tamper Data hackers were able to intercept outgoing HTTP requests following a password reset and then manipulate that data to unlock an account while locking out the original owner.
The security loophole was discovered by researchers in April an immediately reported to Microsoft. Before a fix could be implemented the vulnerability was leaked online where hackers could be found in forums offering to break into any Hotmail account for as little as $20.
On Microsoft’s Security Response Twitter account the following message was posted:
“On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed.”
While its not clear at this time how many accounts were hacked, security experts say Moroccan hackers planned to use the exploit on a list of more than 13 million accounts they have in their possession.
In the meantime security expert and Sophos senior technology consultant Graham Cluley told PC World :
“Hackers aren’t just interested in breaking into email accounts out of curiosity or because they want to read your spam. They’re also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control.”
Hotmail is hardly alone in exploitative measures, last year a political phishing scheme that was able to take control of accounts hit Google, Yahoo and Hotmail.
