The Hack o blog

Reinventing the weel

Hotmail exploit that allows changing of a large percentage of peoples passwords.

Windows Live Hotmail logo

Image via Wikipedia

It is now fixed, but here is the Hotmail exploit.

The link: https://maccount.live.com/ac/resetpwdmain.aspx

How it worked:

  1. Type in the Hotmail email you want to change the password for.
  2. Fill out the captcha.
  3. View page source on the next page and see what the users secondary email is (if it exists).
  4. Check to see if the email is registered (alot of people don’t even bother registering them). If it is, do the same thing you just did and keep going back until you have control over the first account you can.
  5. Reset passwords to those emails address in a daisy-chain fashion until you have control.

The old email used to be a hidden input element on the password reset form, but they just fixed it.

(source)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: