HOW GEEK!

geek notes for advice seekers

Hotmail security hole plugged silently, no communication, no customer service

A vulnerability in the Hotmail password reset pages, that allowed hackers to get access to ANY hotmail/MSN account, has been widely exploited over the past week.

I found a video on Youtube dated April 12, which describes the security hole, which is trivial and only needs the modification of 1 email field during a request to the password reset page, when exploiting it , the password reset link would then be sent to an arbitrary email.

My MSN/passport.net accounts (and many of my contacts) have been hacked briefly during the night from April 17 to April 18, i then informed MSRC about an unknown vulnerability in the password reset page, and it seems the vulnerability was plugged on April 19 or 20.

What surprises me is the communication of Microsoft, there has been no public statement about the vulnerability, and all the hacked accounts have been permanently blocked and need to be unblocked manually by Microsoft employees. Some have been unblocked after asking on the forums answers.microsoft.com, but thousands remain blocked (every password reset, either through email, SMS or through the customer service don’t help).

We are on April 24 and most of the users don’t even know this is the fault of Microsoft and i’m surprised they didn’t bother to help the hacked customers to get back their accounts, this is another big disappointment about the Microsoft security, communication and ethics.

Other sites talking about the vulnerability:

http://syria.telecomix.org/

http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/

http://hackingworldnews.blogspot.fr/2012/04/yet-another-hotmail-exploit-for-avril.html

 

UPDATE 26/04:

MSRC tweeted about the fix:

https://twitter.com/#!/msftsecresponse/status/195568235654021121

Got back my account after contacting the customer service, for this you need to follow the link on the page saying you’re blocked, and then login with a new (unblocked) account.. The mess ended.. At least, let’s hope so.

Here is the direct link to the correct support page:

http://windows.microsoft.com/en-us/windows-live/get-support?selectedproduct=Hotmail&selectedissue=Your%20account%20has%20been%20temporarily%20blocked&productKey=wolmain

, , , ,

One Response to “Hotmail security hole plugged silently, no communication, no customer service”

Leave a Reply

Your email address will not be published.