Hotmail and Outlook, the popular email service from Microsoft is reported to be susceptible to hijacking using ‘stolen’ Cookies. A cookie handling vulnerability has been discovered that can allow cybercriminals to gain access to the accounts of Hotmail and Outlook users.
Hotmail and Outlook Accounts Susceptible to Hijacking
Mohit Kumar, Founder and Editor-in-chief of the Hacker News along with his co-security researcher Christy Philip Mathew demonstrated successfully a Cookie Handling Vulnerability in the popular email service. Both have highlighted the fact that an attacker who has an access to Authentication Cookies can simply import them into the browser using a cookie importer add-on and login to the victim’s account if he has previously accessed Outlook or Hotmail.
A cookie is a small piece of data sent from a website and stored in a user’s web browser. These cookies are responsible for maintaining a session in machines. When a user logs out from a PC the session cookies get expired and hence, cannot be reused. This does not happen with Microsoft’s web mail services, the duos believe. Even after logout, one can use same cookies to again authenticate the session and login without using password.
The two researchers have notified Microsoft of this vulnerability. What action the company’s security team takes – and how soon, remains to be seen. Meanwhile, you can take a look at the video talking about the vulnerability.