A high severity password reset vulnerability is detected in Microsoft’s official MSN Live Hotmail service. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN
password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“.
Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Live Hotmail module.
2012-04-06: Researcher Notification & Coordination
2012-04-20: Vendor Notification by VoIP Conference
2012-04-20: Vendor Response/Feedback
2012-04-21: Vendor Fix/Patch
2012-04-26: Public or Non-Public Disclosure
In simpler terms, the attacker uses Firefox and Tamper Data – a Firefox Addon to intercept and manipulate the complete process.
This particular exploit spread like wild-fire in the under-ground forums and was exploited within the twoo week period between notification and patch.
According to some reports, many of these Hotmail accounts which were linked to PayPal , Liberty Reserve were targeted and the money looted. Many users also complained about receiving spam emails from these hotmail accounts.
This reminds me of the Yahoo mail accounts being hacked, though nothing has yet been disclosed about Yahoo’s 0 Day, but I am sure it exists. We have also issued an advisory for Yahoo Users and how to mitigate these attacks.
This raises a few questions and forces us to think about the concept of linking email accounts and using them as a Single Sign On.
For past few years, numerous services have started integrating themselves with each other, allowing you to access these services by authenticating yourself using Gmail, Hotmail, Yahoo, Facebook etc. Alternatively, your email accounts are used for password retrieval or are used as usernames.
Advantages are numerous, no need to register, no need remember different usernames, passwords for different sites/services.
But, very recently I realized that drawbacks are numerous. Whenever I wanted to change the password for one service then I ended up changing passwords for quite a few of other linked services. There was just no method involved and I felt quite lost in the world of passwords. Managing server passwords , admin passwords and also managing my personal passwords.
Here is what I did to make my life simple yet have a fairly secure environment:
1: Created a List of all the sites which I frequently visit and have login rights.
2: Segregated them into Mail, Forums, Newsletters and associated services.
Email Services – All having different passwords.
Group 2 – These sites needed their own usernames but password retrieval system depends on email services.
Insurance/Financial Services – All having different password
Group 3 – These sites need either twitter/facebook accounts and rest of it handled by OAuth APIs
Associated Services – bit.ly, scoop.it etc.
Some Forums/NewsLetter sites etc.
The second task was generating another list of services, which even if they are hacked shouldn’t impact my online presence, also, sometimes in order to retrieve some information, many websites require you to register, hence a secondary email id was created and started providing this email id for authentication purposes or for registrations. Effectively, ensuring that my primary email account is free from spam and even if there is a security issue with these not so secure services, I do not end up changing each and every password.
At the end of this exercise, I ended up with 9 different passwords and am able to access 30+ services. and while changing passwords all needed to do was to rotate these passwords and at the end of term, generate 9 new passwords and manage them. During this term, if ever I came across any report suggesting a breach, all I need to do is look at the services I used and do the needful if required.
Researchers are always asking everyone to use difficult passwords, or password managers , change passwords at regular intervals but as a end-user, it is our responsibility to ensure that we learn to segregate and prioritize the services we use.
Password Managers are closely integrated with browsers and all of the browsers come with a password manager of their own. The issue with this is that many tools are available which can extract the stored passwords and also most of the trojans also extract this information and upload it to the attackers inbox, effectively rendering ‘Browser based Password Mangers‘ useless.