News

Microsoft fixes Hotmail security flaw

Software giant said it's "working hard" to protect email accounts from password resetting hackers.

30 Apr 2012

Software giant Microsoft has reportedly plugged a security hole in its Hotmail email service, which allowed hackers to access accounts and reset passwords.

The problem was made public by researchers at Vulnerability Labs last week in a post on its website, which contained details of how hackers have exploited the flaw.

"[It allows] attackers to reset the Hotmail/MSN password with attacker chosen values," said the post. "Remote attackers can bypass the password recovery service [and token-based protections] to setup a new password."

If successful, hackers are then able to gain unauthorised access to Hotmail and MSN accounts, it added.

It is not know how many of the 350 million Hotmail users from across the globe had been targeted by the scam. However, it has been claimed that Moroccan hackers had been planning to use the flaw to reset the accounts of up to 13 million users.

Hackers aren't interested in breaking into email accounts because they want to read your spam. They want to steal your identity.

Moreover, a report on Sophos' Naked Security blog claims videos detailing how to exploit the flaw had been circulating on YouTube for some time.

"Hackers aren't just interested in breaking into email accounts out of curiousity or because they want to read your spam," said Graham Cluley, senior technology consultant at Sophos, in the blog post.

"No, they're also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control."

When contacted for comment, a Microsoft spokesperson told IT Pro: "Hotmail engineering teams are working hard on not only protecting accounts, but also on recover[ing] them."

They also revealed the firm has launched a new, "streamlined" recovery tool to help affected users regain access to their accounts.