A critical vulnerability affecting Microsoft's Hotmail has been identified simultaneously by Vulnerability-Lab researchers and Saudi Arabia hackers, that allows a hacker to reset the Hotmail/MSN password. Fortunately,Microsoft patched the vulnerability.
"Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values '+++)-'." explained by vulnerability-lab researchers.
"Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module."
According to the WhiteC0de, the details of the hack got leaked on an underground forum where the hacking service was advertised for $20 (15 EUR) per hacked Hotmail/Live account.
