Microsoft announced they have fixed a critical bug in their Hotmail service which allowed remote resetting of account passwords by third parties. The zero day exploit was first reported by a Saudi security firm and was then unfortunately leaked to the Dark Web hacking forums. Within hours the exploit was reposted with video showing the hack in action.
Image may be NSFW.
Clik here to view.
Here’s how the exploit works:
Using FireFox and a plugin called “Tamper Data” (the plugin allows one to modify browser data in real-time), the hacker would first check the “I forgot my password” link. Next, they would enter the corresponding email address that needed the reset password, but would use Tamper Data to change the recipient email address that was to receive the reset data to whatever email address they wanted. Of course all the hacker has to do at this point is click the link they received in the reset email and voila! … the account is now theirs.
This is a relatively simple hack to pull off. The question is how long has it been going on?
In the past few years, I have helped a handful of family members and customers recover their personal and business Hotmail accounts that had been compromised without warning. One day it worked, the next it did not. The majority of these cases were just plain weak passwords or weak security questions that any quick web search could unearth. Unfortunately in this case, however, even an extremely complex and lengthy password is completely useless when a hacker can simply reset your password to whatever they want.
This is of course a fairly isolated incident and I can’t recommend enough that your best bet for a secure email, Facebook, banking account, etc. is to choose a long and complex password with only security questions you would know.
