Reinventing the weel
Hotmail exploit that allows changing of a large percentage of peoples passwords.
February 5, 2011Posted by on
It is now fixed, but here is the Hotmail exploit.
How it worked:
- Type in the Hotmail email you want to change the password for.
- Fill out the captcha.
- View page source on the next page and see what the users secondary email is (if it exists).
- Check to see if the email is registered (alot of people don’t even bother registering them). If it is, do the same thing you just did and keep going back until you have control over the first account you can.
- Reset passwords to those emails address in a daisy-chain fashion until you have control.
The old email used to be a hidden input element on the password reset form, but they just fixed it.