The Hack o blog

Reinventing the weel

Hotmail exploit that allows changing of a large percentage of peoples passwords.

Windows Live Hotmail logo

Image via Wikipedia

It is now fixed, but here is the Hotmail exploit.

The link:

How it worked:

  1. Type in the Hotmail email you want to change the password for.
  2. Fill out the captcha.
  3. View page source on the next page and see what the users secondary email is (if it exists).
  4. Check to see if the email is registered (alot of people don’t even bother registering them). If it is, do the same thing you just did and keep going back until you have control over the first account you can.
  5. Reset passwords to those emails address in a daisy-chain fashion until you have control.

The old email used to be a hidden input element on the password reset form, but they just fixed it.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: