Microsoft Patches Critical Security Flaw in Hotmail
Hackers have been offering to exploit the bug for as little as $20 per account.
Microsoft recently patched a bug in Hotmail that enabled hackers to reset users' passwords.
"The company was notified of the flaw on April 20th and responded with a fix within hours -- but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community," writes Ars Technica's Peter Bright.
"Computer security researchers discovered the vulnerability in early April and told Microsoft about it soon afterwards," BBC News reports. "The bug revolved around the way Hotmail handles the data that must pass back and forth when a user wants to reset their password."
"The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with their own values, according to a notice published by Vulnerability Laboratory senior researcher Benjamin Kunz Mejri," writes Threatpost's Brian Donohue. "It affected Microsoft’s official MSN Hotmail (Live) service. Remote attackers could use the security hole to bypass the password recovery service to setup a new password, according to the notice."
"News of the exploit quickly spread online and hackers were offering to access Hotmail accounts for as little as $20 a time, according to reports," writes Computer Business Review's Steve Evans. "A 'how-to' video even appeared on YouTube, offering a guide to hacking Hotmail accounts."
"What isn't known is just how many of Hotmail's 350 million users might have been impacted by the serious security vulnerability -- Microsoft certainly isn't saying," writes Sophos' Graham Cluley. "But if you're worried, there's an easy way to check. Hacked Hotmail accounts would have had their passwords changed to something else -- so if you are no longer able to access your Hotmail account it's possible (although by no means definite -- there may be other reasons, of course) that your email account fell victim to this attack."