Quick fix for Hotmail password bug

  • Published
Hotmail screengrab
Image caption,
Videos were posted online showing the bug being used to hijack email accounts

Microsoft has rushed out a fix for a serious bug in its Hotmail webmail services.

The bug allowed a hacker to reset the password for a Hotmail account, locking out its owner and giving the attacker access to the inbox.

The fix was put together because the bug was starting to be actively exploited online.

One security news site reported that some hackers were offering to hack Hotmail accounts for $20 (£12).

Computer security researchers discovered the vulnerability in early April and told Microsoft about it soon afterwards. The bug revolved around the way Hotmail handles the data that must pass back and forth when a user wants to reset their password.

Using add-on tools for the Firefox browser, hackers realised they could tamper with the data passing between a user and Hotmail servers in a way that handed them control over an account they targeted.

As knowledge of the bug spread, some started offering to hack accounts for cash and others posted YouTube videos of Hotmail accounts being taken over in real time.

It is not clear how many Hotmail accounts have been hacked by attackers exploiting the bug. Those who have fallen victim will know because they will find they are locked out of their Hotmail account.

With the bug being "actively exploited", Microsoft found a way to fix it and updated Hotmail to close the loophole a day or so later. Now Hotmail servers return an error when attackers try to manipulate data exchanges.

Microsoft issued a short statement about the fix and said no further action was needed by customers.

Hotmail is the world's largest web-based email service and Microsoft claims that it has about 350 million users.

Related Internet Links

The BBC is not responsible for the content of external sites.