0day Exploit In hotmail

Hi guys just read about 0day exploit in Hotmail
that lead you to Loosing your account Permenantly by tampering data
in the Recover Password Page
any news about that ?

 

Do you mean it happened very recently? Where have you read it?

Something similar happened in the past, though; judging by a quick search.

 

Something like Friday or something i have also a tut page on How to exploit it
it's very easy exploit :/

wonder if it did get Fixed

i read it on an UnderGround Site
i can Give a Link to A microsoft Employ to FIx this if it's still active
Do you know anyone here in the Forum ?

 

This sounds like back in the day with the rise of websites that asked you to type in your password and they "told" you who has blocked you :x

 

Nope all the work can be done in The Main Live.com or hotmail.com site

 

How does the exploit work? Does it come from a Malicious adverstisement loading?

 

Nope you can Do it using Tamperdata Addon

 

it's a conformed Exploit it spreaded so Fast
It's being used by some GoV to Spy on Activest anyway
where do i report such exploit to Microsoft

 

my hotmail account got hit friday,lucky for me their wasnt much in the account.
opened new email account elseware, changed all passwords shopping,papal,router etc,dont use facebook or twitter.no money gone from bank as i dont do online banking also installed keypass just incase and truecrypt for a few files.aslo ran some ondemand scans which were clean.

 

just an up date,
i may have this wrong but just read that you had to
open an email and click the ulr to to get this to work.
strange really as i never open unknown mail or follow links.

 

this hack will allow the hacker to change the Mail password without any user interaction
wich is Totally Remote exploit !!!!!!

it's very very very serious EXPLOIT

why people here are not caring i'm not Spreading FUD
i saw the article and LOT of People changed their Mail service because of it

the exploit simply allow the hacker to change the Hotmail account Password Remotly
without anyuser interaction

Guys i'm reporting it what more need to explain Guys !!!!!!!!!!!!!!!!!
why the security people always Late to Respond

 

Report it
http://technet.microsoft.com/en-us/security/ff852094

 

Question about the exploit. Does it require a third-party connection? I mean, is the exploit hosted at Microsoft's own servers? If does require a third-party connection, and if, in fact, there's danger, then all you got to do is to restrict communications to Microsoft/Hotmail's server IPs/domains.

 

There were some issues with Hotmail ads in the past. It could very well be the source; these are automatically loaded, and you don't need to click in anything. Granted, whatever could happen afterwards, could very well be prevented. I remember someone posting one of such situations sometime ago, and it tried to make the user install something.

 

no nothing is required it's an EXPLOIT using the Email recovery option in forgot password
section
by using TamperData and Minpulating the HTML requests Post and GET stuff
you will be able to by pass a step and you will go to the enter new Password Page

then the hacker will get a FULL!!!! control of the account Remotly
i sent the URL with the explination of the Exploit to Cudni so he can Report it
i was surfing i found that Thing and what it Look it's not Old couple of day Late

anyway hope it get Fixed Today

 

Yes, it's an exploit. You've said it a few times already. But, the question was: Where is the exploit hosted? Is it hosted at Microsoft's own servers?

Even if you don't need to interact with the exploit, the exploit code still needs to get executed. So, where is the exploit code hosted?

-edit-

I think I'm understanding now. It's a flaw in Hotmail itself (e-mail recovery option), correct?

 

The vulnerability is in the MS servers, I assume. It can be exploited by anyone who can access those servers ie: anyone.

 

Here is the real information

The bug has been reported some days ago by benjamin kunz mejri of vulnerability-lab.com & also by another unknown researcher to msrc.

TITLE: Microsoft MSN Hotmail - Password Reset & Setup Vulnerability
WATCH: http://www.vulnerability-lab.com/get_content.php?id=529

The issue has been patched to 80% by MSRC last 2 days. I only wait till they confirm then the information will flow to all of ya.

 

Microsoft is aware of it and is investigating. Thanks for the report.

 

Thanks for bringing in some sanity.

 

Indeed

 

any more news on this exploit?
been trying to tell people but they dont seem
to belive its true

 

Even I, (if I'm not a user of Wilders), won't believe it. LOL

 

I think the main problem is that, at first - at least me - it sounded as if Hotmail was redirecting users to some exploit. Which is why I mentioned that it happened in the past - an hijacked advertisement. Also the reason I mentioned that restricting communications only to Hotmail servers would solve it.

I mean 0-day exploit... I usually think of exploits against the web browsers/plug-ins. Then, it isn't really a 0-day exploit - Microsoft seems to be aware of it for 3 days now, at least, and got it most of the issue solved by now, according to kaioo.

A title like Hotmail vulnerable and open to attacks or something more catchy, would have made it more clear... to me.

 

More info here:
http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/