IE 11 is not supported. For an optimal experience visit our site on another browser.

Microsoft fixes critical Hotmail password bug

Microsoft Hotmail logo
Microsoft

Microsoft has issued a temporary fix for a scary and potentially disastrous Hotmail vulnerability that could allow hackers to erase your email password, set up their own and take over your account.

The previously undisclosed vulnerability made it possible for a remote attacker to bypass Hotmail's password recovery service and exploit the bug to reset the password using their own values, according to a notice from Vulnerability Laboratory. Hotmail has more than 350 million active users, and is the largest Web-based email service provider in the world.

(Msnbc.com is a joint venture of Microsoft and NBCUniversal.)

"Successful exploitation results in unauthorized MSN or Hotmail account access," Vulnerability Laboratory wrote. "An attacker can decode Captcha and send automated values over the MSN Live Hotmail module."

[Password Overload: How Can Anyone Remember Them All?]

Essentially, an attacker, operating remotely, could hijack your Hotmail account, change the password so you can't log in, and then have his way with your private emails and any other confidential data, such as financial information, you keep in there.

According to researchers at Kaspersky Lab, a Saudi Arabian hacker working for Dev-point.com first discovered the critical Hotmail bug. The hacker leaked the flaw to underground cybercrime forums, where it was "widely used" to attack Hotmail accounts.

Hackers were reportedly charging $20 to break into a Hotmail account of the buyer's choice. Researchers from the security firm Sophos said the hackers made use of a Firefox add-on called Tamper Data to bypass the protections Microsoft uses to keep Hotmail accounts secure.

Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.