27 Apr 2012
Microsoft has fixed the Hotmail password reset vulnerability that was reported as exploited in the wild for days. The company was notified on April 20 of the flaw that was known to be spreading rapidly in the hacking community.
“We addressed a reset function incident to help protect Hotmail customers," Microsoft representatives said in a short statement. "No action needed."
The password flaw was allegedly discovered not only by researchers, but also by a Saudi hacker. According to reports, cyber crooks were initially offered $20 to crack accounts. Soon after, the technique became widely available and spread through video tutorials especially in the Arabic-speaking Internet.
Hotmail's password reset system uses tokens to ensure that only the account holder can change data. If the validation of the tokens isn't handled properly, hackers can easily reset passwords of any account.