Microsoft Fixed The Password Reset Vulnerability in Hotmail
Recent security issue I mean the 0-day vulnerability on hotmail, which was allowing users to reset passwords remotely has been fixed. The vulnerability existed in Hotmail's password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to intercept the outgoing HTTP request following a password reset request and modify the data, locking out the account holder and gaining access to their inbox.
Microsoft security team said in a tweet on Friday that it had "addressed a reset function incident to help protect Hotmail customers", and that no further action was needed on the customer's part. "The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based) … Successful exploitation results in unauthorised MSN or Hotmail account access," the researchers wrote on Thursday. Although public disclosure only came on Thursday, reports had already been circulating of the flaw's exploitation. The WhiteC0de blog noted a week ago that the exploit had "spread like wildfire across the hacking community", with victims losing money and, in some cases, valuable usernames. The Whitec0de report also noted rumours of a separate "critical vulnerability" in Hotmail that is also being exploited by hackers, but stressed that there was no evidence yet of these rumours' veracity.
-Source (ZDnet)