Microsoft has deployed a fix for a Hotmail password reset vulnerability that was reportedly being exploited in the wild for days. A report published at Vulnerability-Lab described the vulnerability and provided a timeline for its disclosure and fix. The bulletin rated the severity as “Critical,” based on this description:
A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module.
The bulletin says Microsoft fixed the vulnerability on April 20, 2012. The more detailed timeline puts the Vendor Fix/Patch date one day later:
2012-04-06: Researcher Notification & Coordination
2012-04-20: Vendor Notification by VoIP Conference
2012-04-20: Vendor Response/Feedback
2012-04-21: Vendor Fix/Patch
2012-04-26: Public or Non-Public Disclosure
A report at Whitec0de.com notes that in the two weeks between the discovery of the vulnerability and the deployment of a server-side fix, the exploit escaped into the wild:
The exploit was first discovered by a Hacker from Saudi Arabia who is a member of the popular security forum dev-point.com. Apparently the exploit got leaked to the dark-web hacking forums. All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked “any” email accounts within a minute.
The exploit eventually spread like wild fire across the hacking community. Many users who linked their email account to financial services like Paypal and Liberty Reserve were targeted and the money looted away. While many other lost their Facebook and twitter accounts.