Microsoft Patches Major Hotmail 0-day Flaw After Widespread Exploitation 88
suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."
PcPro (Score:5, Insightful)
and to think of all the people who claimed that there was nothing wrong with Hotmail security and the PCPro chap who switched to Hotmail over Google must have had his password hacked by an alternative site.....
oh well, I'm sure this is just a coincidence, right.
Critical Infrastructure (Score:2, Insightful)
The federal government wants to require actual critical infrastructure to be security vigilant and is getting pushback from industry, again critical infrastructure, not even some silly free-ish service, to try to avoid the expense.
Corporations, by and large, do not share interests with the public. Corporations are there for profit for shareholders and management first and foremost, and due to extreme myopia in those sectors, where the quarterly profit rules supreme, spending money on things like security are not considered necessary because they don't make profit, rather they cost money. Worse, utility companies and other infrastructure companies aren't high profile; most people don't give any thought to their electric supply beyond paying the bill unless it ceases.
Corporations are not looking out for your interest, unless you happen to be one of the very few people who has any real amount of money tied up in them.
Re:Critical Infrastructure (Score:5, Insightful)
I think your tinfoil hat's on a bit too tight.
Re:Ouch (Score:5, Insightful)
Im guessing that, with that attitude, you are posting that comment using nothing but some wires, a battery and a fucking good knowledge of the tcp/ip protocol?
Every system ever built has the potential for issues, and the vast vast majority of systems have actually had issues - whatever you are using right now is not an exception.
Re:Ouch (Score:4, Insightful)
you mean pull an apple
Re:PcPro (Score:5, Insightful)
Well, since the PCpro guy logged right back in to his email, however it was compromised it wasn't with the password reset token.
If it had been the password reset token, they wouldn't know his original password, they'd have changed it to something that only the hacker would know and he wouldn't have been able to log back in like he did.
So yes, it was a coincidence and/or another unknown hack.