Theft of accounts Yahoo, AOL, Hotmail

Published on May 05, 2012

Theft of accounts Yahoo, AOL, Hotmail

    In the popular mail services Yahoo, AOL and Hotmail , vulnerabilities have recently been found that allow access to other people's accounts .

    The essence of the vulnerabilities is the same everywhere: a logical error was used when recovering the password, as a result of which it was possible to set a new password bypassing the user’s legitimacy check (answering the security question, etc.)

    Video demonstration for Hotmail:




    Apparently, vulnerabilities are already covered. Because I could not use them. Although, to repeat the action, there is not enough data. For example, in the case of Yahoo, it remained a mystery why it was necessary to change the Z variable in the POST request. And for Hotmail, it’s not clear what to assign to the __V_SecretAnswerProof variable . But the video above is evidence that vulnerabilities were present.

    In the case of Hotmail, the vulnerability worked if the victim used an alternative email address to recover the password. Hotmail also allows you to recover your password by answering a security question. However, no exploit was provided for this case.

    At the moment, AOL gives an error even during normal recovery without hacks:

    We're sorry. There is no information to reset your password.
    For further assistance, you can contact a representative directly by calling 1-855-PWRESET (855-797-3738), Monday - Sunday, 8:00 AM - 10:00 PM (EST).
    Verify this is your account

    Please select one of the following options to verify your identity.

    Alternate Email Address
    Billing Information
    Account Security Question