Microsoft has issued a temporary permanent fix for a previously undisclosed bug in its MSN Hotmail Web email service that could have allowed remote attackers to reset account passwords. Remote attackers could use the security hole to bypass the password recovery service to setup a new password, according to a notice published by Vulnerability Laboratory senior researcher Benjamin Kunz Mejri. The exploit was initially discovered by a Saudi Arabian hacker working for Dev-point.com and was, leaked to hacker forums, where it spread quickly. Despite the quick action to fix the flaw, Whitec0de claims it has been widely used to compromise Hotmail accounts.
Source: https://threatpost.com/hotmail-password-reset-bug-exploited-wild-042612/76490/