Microsoft has issued a fix for a scary and potentially disastrous Hotmail vulnerability that could allow hackers to erase your email password, set up their own, and take over your account.
The previously undisclosed vulnerability made it possible for a remote attacker to bypass Hotmail's password recovery service and exploit the bug to reset the password using their own values, according to a notice from Vulnerability Laboratory. Hotmail has more than 350 million active users, and is the largest Web-based email service provider in the world.
"Successful exploitation results in unauthorized MSN or Hotmail account access," Vulnerability Laboratory wrote. "An attacker can decode Captcha and send automated values over the MSN Live Hotmail module."
Essentially, an attacker, operating remotely, could hijack your Hotmail account, change the password so you can't log in, and then have his way with your private emails and any other confidential data, such as financial information, you keep in there.
In an official statement, Microsoft said it "addressed an incident with password reset functionality," and that "there is no action for customers, as they are protected."
According to researchers at Kaspersky Lab, a Saudi Arabian hacker working for Dev-point.com first discovered the critical Hotmail bug. The hacker leaked the flaw to underground cybercrime forums, where it was "widely used" to attack Hotmail accounts.
Hackers were reportedly charging $20 to break into a Hotmail account of the buyer's choice. Researchers from the security firm Sophos said the hackers made use of a Firefox add-on called Tamper Data to bypass the protections Microsoft uses to keep Hotmail accounts secure.