Hackers were exploiting a vulnerability in Hotmail's "password recovery" function to steal any service user account, according to the "Whitec0de" website. Criminals would be charging $ 20 to perform the "service" on a Microsoft Live account.

Microsoft has confirmed that it has corrected a service failure on Thursday (26) via Twitter ( click here to access ), but did not provide any other information.

The flaw was found by researcher Benjamin Kunz Mejri. According to a bulletin that Mejri wrote about the failure , Microsoft was warned about the problem on April 6. The problem would have been fixed already on the 21st.

Gap was easy to exploit According to the expert who discovered the error, the Hotmail password recovery function uses a feature called a "token". The token is a code that checks the legitimacy of a password change request. In one part of the process, Hotmail did not verify that the token was valid.

The token can only be obtained after correctly answering the "Secret Question" or receive a code in a telephone number registered in the account. However, as the token was not checked, a hacker could change anyone's password even without having the question answer or access to the phone.

According to the site "Whitec0de", the breach could be exploited using the "Tamper Data" extension of Firefox. "Tamper Data" displays in real time the information that the browser is sending and receiving while browsing. Using the extension, the attacker just needed to enter the "+++" - "token" code and the password change would be accepted.