Microsoft has quashed a glaring bug in its Web-based Hotmail email software that allowed Firefox users to easily reset the password another user’s Hotmail account, effectively locking them out of access to their own email. Luckily, it seems like it was a pretty simple fix because it went from being discovered to being patched in just one day. The company went public with the discovery late last week.
The glitch was specific to a Firefox add-on called Temper Data. It allowed hackers to siphon off outgoing HTTP requests in real-time from the browser, and then modify the data. So for example, in Hotmail as soon as hackers hit a password reset for any email account, they were able to instantly modify the request and put in a password of their choosing. The vulnerability was discovered by vulerability-lab.com.
That site described the security hole as follows: “Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values ‘+++)-‘. Successful exploitation results in unauthorized MSN or Hotmail account access.” Microsoft reportedly was told about the flaw on April 20, and then fixed it on April 21.
[via The Register]