A very severe bug in the Hotmail Website came to light recently. A critical vulnerability allowed anyone to remotely change the password of any Hotmail account. The underground hacking scene was abuzz with hackers who hacks any hotmail email accounts for as little as 20$.
The exploit was first discovered by a Hacker from Saudi Arabia who is a member of the popular security forum dev-point.com. Apparently the exploit got leaked to the dark-web hacking forums. All hell broke loose when a member from a very popular hacking forum offered his service that he can hacked “any” email accounts within a minute.
Must read: Top 10 Windows Antivirus Software of 2013
The exploit eventually spread like wild fire across the hacking community. Many users who linked their email account to financial services like Paypal and Liberty Reserve were targeted and the money looted away. While many other lost their Facebook and twitter accounts. Rare accounts with two letter and three letter like ab@hotmail, xxx@hotmail where looted away.
The exploit in itself was a very simple one. It involves using a Firefox addon called Tamper Data which allows the the user to intercept the outgoing HTTP request from the browser in real time and modify the data. All the attacked had to do was to select the “I forgot my Password” and select “Email me a reset link” and start the Tamper Data in firefox and modify the outgoing data. Numerous youtube videos have come up to demonstrate the proof of concept. Googling the Phrase” ثغرة الهوتميل 2012 “will bring up several videos demonstrating the same .
Microsoft is yet to offer an official declaration of the vulnerability. Many users, especially from the Middle east countries notified the company in their support forums but the damage was already done by then. The Company offered a temporary fix on 20th April that brought an end to the mayhem. Now every time a hack is attempted on the reset page a “Server Error” is displayed.
But the rumour has it that there exit another critical vulnerability but it’s knowledge is limited to only the hackers who frequent the dark web. They are lying low with the exploit now to prevent another leak to the mass and thus ensure a quick patch by the company. The legitness of the reports is however questionable.
We have received many queries regarding the new 0 day exploit which is yet to be patched. For the time being we can only advice you to monitor your email accounts closely.
Even our website came under Ddos attack on 17 april because of leaking the information to the public. Rest assured, our team is actively scorching the deep web to find out more information. Be sure to check this space! For the members who wanted a more detailed explanation about the old exploit, please download the full video demonstration of the hack from here.