Security researchers Mohit Kumar and Christy Philip Mathew have found that a cookie handling vulnerability allows cybercriminals to gain access to the accounts of Hotmail and Outlook users.
They’ve demonstrated that an attacker who can gain access to authentication cookies can simply import them into the browser by using a “cookie importer” add-on and he’ll be automatically logged in to his victim’s account when he accesses one of the Microsoft services.
Kumar explains that there are various methods that could be utilized to gain access to authentication cookies: man-in-the-middle attacks if the victim and the attacker are on the same network, by using malware, by exploiting a cross-site-scripting (XSS) flaw - if one exists, or by physically accessing the victim’s device.
The researchers have notified Microsoft of this vulnerability. The Redmond company’s representatives claim that this is a known issue and that they’re planning on implementing a ticket revocation mechanism into an upcoming release.
They also highlight the fact that Live services use independent cookies which they transmit over a secure connection in order to avoid replay attacks. Furthermore, they claim that an attacker cannot change the victim’s password because that would require him to know the old password.