The H-Online: The whitec0de.com blog reports that, for $20, a member of a hacker forum offered to crack any Hotmail account within a minute – and that he kept his word. Apparently, the hacker found out about a critical vulnerability in Microsoft’s email service on a security forum, and the hole allowed him to change the passwords of arbitrary Hotmail users.
The blog says that various users were affected as a result, for example because they used their Hotmail accounts to access services such as PayPal. Allegedly, the vulnerability was also exploited to change the ownership of particularly attractive, short account names such as [email protected] and [email protected].
Benjamin Kunz Mejri, a security expert who discovered the hole at around the same time as the incidents described above, has released details about the vulnerability in an advisory. According to the expert, the hole was contained in the “password reset” functionality – during one step, the Hotmail server apparently checked the existence of a token but not its value.
The advisory says that by injecting a token such as “+++)-” into certain requests, attackers were able to take control of any account. Kunz Mejri added that he notified Microsoft on 6 April, and that the company fixed the problem on 21 April.