Microsoft is not having a very good few days, with the IE bug fixes and all, and now comes word that hackers are having a go at the password reset protection of Hotmail.
Security researchers have discovered a vulnerability in Microsoft Hotmail service that allows hackers to bypass security questions that users must answer before resetting their passwords.
Normally, if Hotmail users forget their password they must fill out a Web form that requires their e-mail address, state, zip code and country. Users who enter the correct information are then prompted for the answer to the "secret question" they selected when signing up for the service.
According to information obtained by Newsbytes, hackers recently discovered a way to skip the validation form and go directly to any user's "secret question" prompt. From there, the intruder is only one step away from resetting the user's password.
Sources say that since the discovery of the security hole roughly two weeks ago, a small cadre of hackers has been patiently checking a long list of high-profile and desirable usernames for easily-guessed answers to secret questions.
Screenshots obtained by Newsbytes showed that the password and secret question for at least one highly desirable Hotmail username of the sort traditionally reserved for system administrators had been changed to "Who owns you????" Another hacked secret question was changed to an Internet address for a hacker group's Web site.
News source: washingtonpost.com - Newsbytes