0Day Remote Password Reset Vulnerability in MSN Hotmail patched

Vulnerability Lab's picture

Microsoft’s MSN Hotmail (Live) email service currently hosts over 350 million unique users.  A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. 

The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values.  Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based).  The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“.  Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.

Regarding the consequences it was a win for Microsoft to close the security issue as fast as possible after the analysis has ended.  The vulnerability can be used by attackers in combination with a web exploit kit which is automatic resetting the Hotmail or live accounts. This incident had the severity to end in an complete disaster with millions of compromised live/Hotmail accounts.  After the fast reaction of the MSRC Team only some users mail accounts got hacked by an Arabic (Moroccan) group. MSRC freeze all hacked accounts with a universal violation term message.  The Moroccan group which tried to exploit the reset vulnerability in the wild wants to use a 13 million user Hotmail account list to reset passwords.  After the vulnerability has been patched over the weekend to Monday the attackers cannot anymore access or reset any passwords of the windows live service.

The vulnerability has been patched by the Microsoft development team coordinating closely with the Microsoft Security Response Center (MSRC) & external researchers like Benjamin Kunz Mejri (vulnerability-lab). Benjamin Kunz Mejri identified & located the vulnerability on 6th & it has been addressed april 20th.


2012-04-06:	Researcher Notification & Coordination
2012-04-20:	Vendor Notification by VoIP Conference
2012-04-20:	Vendor Response/Feedback
2012-04-21:	Vendor Fix/Patch
2012-04-26:	Public or Non-Public Disclosure

“We are aware of this issue from public discussion, and we have already addressed it to protect Windows Live ID customers,” MSRC representatives said.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=529