Microsoft patches account-hijack flaw in Hotmail


Microsoft has fixed a critical flaw in its popular webmail service that was allowing hackers to take over any Hotmail account within a minute. According to a report on Whitec0de last week, the exploit was first discovered by a hacker from Saudi Arabia, then leaked onto forums frequented by hackers.

The exploit technique revolved around the "I forgot my password" feature and its knowledge soon spread like wildfire, creating a huge buzz in the underground hacking scene. Apparently, some hackers were hawking a price as low as $20 to break into any Hotmail account.

Underscoring the danger of how exploits on web-based systems can have wide-ranging ramifications, a blog post on Naked Security reported that "Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession."

Of particular concern is the potential for identity theft given the wealth of personally identifying information that is sure to be found. Moreover, a compromised email account can also serve as a means to gain access to accounts on other online services.

Microsoft (NASDAQ: MSFT) did not say how many of the 350 million users on Hotmail may be affected, though the company acted swiftly with a "Server Error" message to block the attack prior to fixing it. For now, the only way to know if you have been affected is if you are inexplicably unable to log into your Hotmail account.

For more:
- check out this article at Network World
- check out this article at Infosecurity

Related Articles:
Microsoft adds hacked account reporting to Hotmail
Gmail's hour-long outage on Tuesday