Microsoft Closes Major Hotmail, Passport, .Net Security Hole: Microsoft has closed a major Hotmail / Passport / .NET security hole that allowed remote attackers to reset the password on virtually any account with no need for any information other then the email address used.
A password reset form, available at the passport website, allowed users to request change information for their password. Unfortunately it also allowed any email address to be specified for where the information would be sent. This enabled remote attackers to specify a victim's email address and an address they controlled to which the password reset information would be sent. This web application has now been taken offline, closing the flaw.
Additionally there are other forms that allow for account password resetting, many of which rely on asking the user questions for which only the user knows the answer. Unfortunately many of these questions are weak, such as "what is your name?" or "what is your mother's maiden name?". Often times this information is publicly available and easy to find.
A password reset form, available at the passport website, allowed users to request change information for their password. Unfortunately it also allowed any email address to be specified for where the information would be sent. This enabled remote attackers to specify a victim's email address and an address they controlled to which the password reset information would be sent. This web application has now been taken offline, closing the flaw.
Additionally there are other forms that allow for account password resetting, many of which rely on asking the user questions for which only the user knows the answer. Unfortunately many of these questions are weak, such as "what is your name?" or "what is your mother's maiden name?". Often times this information is publicly available and easy to find.
