Microsoft avoided a disaster thanks to researchers from the Vulnerability Lab

Apr 26, 2012 10:11 GMT  ·  By

Security researchers from the Vulnerability Lab identified a critical password reset and setup flaw in Microsoft’s Hotmail service. As it turns out, cybercriminals also found the same weakness and quickly saw a big profit in it, but thanks to experts from the Lab and Microsoft's Security Response Center a fix was issued to prevent abuse.

According to WhiteC0de, the flaw was also detected by a hacker from Saudi Arabia. The details of the hack got leaked on an underground forum where the hacking service was advertised for $20 (15 EUR) per hacked Hotmail/Live account.

In a matter of days, a number of Hotmail accounts were hijacked by cybercriminals, presumably from Morocco, who were in possession of the remote exploit.

Fortunately for Microsoft, experts from the Vulnerability Lab, independently found the same flaw on April 10. The Redmond company was notified on April 20 and rushed to issue a temporary fix the same day.

A patch was released a few days later, before massive damage could be done by the cybercriminals.

“Remote attackers now get redirected to an exception page when they try to manipulate the session to reset passwords,” Benjamin Kunz Mejri, the CEO and founder of the Vulnerability Lab, explained.

“The vulnerability has been located, we notified them and the public attacks have been prevented by MSRC. We informed Microsoft regarding the vulnerability with detailed information.”

So let’s take a better look at the vulnerability present in the password reset functionality of the MSN Hotmail service.

The security vulnerability allowed remote attackers to bypass the recovery feature to set up a new arbitrary password. Token-based protection was in place, but it only checked if the input value was empty before closing or blocking the session.

This allowed the attacker to use context like “+++)-“ to bypass the security feature. An attacker could decode the CAPTCHA and send automated values over to the MSN Hotmail module, successful exploitation resulting in unauthorized MSN or Hotmail account access.

Here’s how the researcher recreated the attack technique to identify the vulnerability, as described by him.

Exploitation Techique(s): - Bypass the Recovery Mod Page to New Pass or Reset; - Bypass token protection via not empty value or positive value(s); - Setup new password; - Decode CAPTCHA and send automatic values.

If utilized in combination with a web exploit kit, the flaws could have been leveraged to automatically reset Hotmail or MSN Live accounts. MSRC made sure the problem no longer represents a threat, the account hijacking attacks being blocked.

“We are aware of this issue from public discussion, and we have already addressed it to protect Windows Live ID customers,” MSRC representatives said.

Update. We have obtained another statement from Microsoft representatives regarding the issue.

“On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected,” a Microsoft spokesperson said.