According to their research, Microsoft automatically retires any Hotmail email account that hasn't been used in 270 days, but it also allows other users to ask to be assigned "expired" email accounts.
Given that Facebook uses email addresses as login usernames for the service, attackers must simply discover Hotmail accounts that have thusly been retired, request Microsoft to assign those particular accounts to them, then take advantage of the "Forgotten Password" option offered by Facebook.
Facebook then sends an email with a link to reset the account password to the newly active email address, and attackers are now in possession of the login credentials needed to enter the account and take complete control of it.
How can you find out which Hotmail accounts have expired? As it turns out, it's not that hard at all:
The researchers tested their theory and gained access to 15 accounts and the friends that could have been targeted next, but they stopped there because that was enough to prove their point.To facilitate and automate this process, we developed a shell script which checks the MX records on the mail server of any email provider and sends a test email so as to check whether the email is received or not. A failure to deliver the test mail suggests that the email account does not exist on the mail server. The only downside to this approach is that the email address of an individual has to be known and tested manually by the script.
Several email providers, such as, in our case, Hotmail, provide an even easier option to find not only one, but a group of expired email accounts. Windows Live Messenger, an instant messaging service provided by Microsoft, allows anyone to import their friends list from Facebook. The records in this imported list are categorized into two groups:
1. People who are currently on Windows Live.
2. People who are not currently on Windows Live.
Membership in the first category signifies that the person in question has already signed up for the Windows Live service; besides, people having a Hotmail accounts are automatically signed up for Windows live. On the other hand, membership in the second category denotes that the person in question does not currently hold an active Windows Live account. Then, in case that person’s email is Hotmail email address, we can safely conclude that this email address has expired. We can then proceed to reactivate it ourselves.
The limitations of this attack is that attackers cannot target a specific user - they have to take what they can get. They also have to start from their own friends. Still, this does not matter much to spammers and scammers, who don't care what account they compromise.
The researchers are advising Facebook to implement a new password resetting technique for Hotmail users - one that would ask more than just an email address.
For more details about the attack, you can download the paper here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.