Windows 7 Microsoft Kills Hotmail Hijack Threat

#1
It took Redmond 1 day to kill a threat that allowed users with a Firefox add-on (Tamper Data) to remotely reset the password of a Hotmail account and allowing them to access the outgoing HTTP request, then modify the data.

Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access.
Microsoft was notified April 20, 2012, applied the fix April 21, 2012, then publicized it April 27, 2012

Quote from Microsoft squashes Hotmail password hijack bug ? The Register
 


kemical

Windows Forum Admin
Staff member
Premium Supporter
Microsoft MVP
#2
Good to see they are on the case...
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.