2012年4月27日星期五

Security vulnerabilities are not saving Hotmail


Surreptitiously corrected two weeks after its discovery by Microsoft, a security hole Hotmail living ecosystem. She lived in a critical component: the recovery tool of email accounts.

The fireworks, which was based on a simple Firefox extension, allowed anyone to bypass some checks in place for unobstructed access to the reset page password associated with any address ... and let the victim as dry on the tile.

In the words of Benjamin Mejri Kunz, one of the discoverers of the pot to the roses, this vulnerability could compromise the privacy of thousands of users.

If the magnitude of the phenomenon remains unclear, preliminary findings indicate many insults in the Middle East. Some people have simply lost access to their accounts on social networks. The joke has even led to extortion on services like PayPal.

Once the news spread, the tutorials have flourished on the Web. Some improvised pirates took advantage and went up to offer their services at the request fee.

To engage in the exercise, they took was to install an add in their Firefox browser. In this case, the so-called Tamper Data, modifying HTTP requests in real time.

The subterfuge involved and to visit the page restore the password, intercept outgoing traffic and inserting values ​​set to bypass the system identification tokens employed by Microsoft as a protection.

Normally, if that value is empty, the session is automatically terminated. Insert the string "+ + +) -" allowed fool this routine.

Due to word-of-mouth more than the work of seasoned engineers, detection of the fault goes back to April 6. Microsoft has acknowledged that two weeks later, on 20 April, and immediately deployed a fix, warning users of a single message on his Twitter account.

没有评论:

发表评论