It appears that both Hotmail and Oulook.com are vulnerable to attacks that could allow cybercriminals full control of an account, due to what seems like an issue regarding management of cookies and sessions.
Security expert Rishi Narang detailed the flaw on his blog that Microsoft’s email platforms, along with Twitter, Yahoo and LinkedIn accounts all suffered from the vulnerability — one that could be easily exploited even by novice hackers:
“Microsoft mail services are vulnerable to this session management flaw. Apart from your regular MSN/Live email accounts, you can also move your corporate accounts on outlook exchange mail service. Thus, it also affects your Microsoft hosted corporate accounts. Now, the problem with outlook/live is that it authenticates the old session cookies even if the user has logged out from the session.”
An attacked could steel someone’s authentication cookies, as all cookies are still stored on the server, even though they expire at the end of a session:
“So what just happened? How the old cookie is still being validated at the server end? The cookie expires at the end of session, gets deleted from the browser but what about the server? Why the server maintains the authentication cookie and for how long will this be valid? No idea but scary.”
According to the security expert, these cookies are days or even months old, meaning anyone can successfully access people accounts from different locations around the globe.
Even if the users had logged in or out many times, the cookies could still be validly used.
Microsoft is yet to respond to this new report, but this surely seems like something that the company will look into in the near future and look to remedy.