Navigation section

Windows 7 Microsoft Kills Hotmail Hijack Threat

A

Adamsappleone

U.S.Navy D.A.V.
Joined
Aug 2, 2009
Messages
1,647
It took Redmond 1 day to kill a threat that allowed users with a Firefox add-on (Tamper Data) to remotely reset the password of a Hotmail account and allowing them to access the outgoing HTTP request, then modify the data.

Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access.
Click to expand...

Microsoft was notified April 20, 2012, applied the fix April 21, 2012, then publicized it April 27, 2012

Quote from Microsoft squashes Hotmail password hijack bug ? The Register
 


Good to see they are on the case...
 


You must log in or register to reply here.

Similar threads

News
AA21-209A: Top Routinely Exploited Vulnerabilities
Replies
0
Views
3K
News
News
News
AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs
Replies
0
Views
3K
News
News
News
AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
Replies
0
Views
4K
News
News
News
AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks
Replies
0
Views
2K
News
News
News
AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
Replies
0
Views
2K
News
News
Back
Top