Hotmail loophole leaves Facebook accounts vulnerable
Would-be attackers claim Facebook logins using expired Hotmail addresses
Facebook users who login using Hotmail and other web-based email services might be vulnerable to account hijacks, due to a loophole related to expired addresses.
Microsoft deactivates unused Hotmail accounts after 270 days of inactivity, reassigning the addresses to any new user who requests them after a certain period of time.
Those email addresses can then be used to reset passwords and log into other sites – such as Facebook – potentially allowing attackers to gain control of profiles.
Microsoft has retired Hotmail, shifting users to the new Outlook.com. But since Outlook.com is also web-based and operates the same account deactivation policy, that could still leave users vulnerable to attack.
Gmail appears to be less vulnerable because it doesn’t allow new users to request previously used addresses.
"The problem arises from the fact that the privacy of a user’s online social network account rests on the privacy of one’s email account. Once the user loses the one, they can lose the other as well," said the researchers.
Facebook claimed the vulnerability was Microsoft's responsibility and advised users to ensure their addresses were active and up to date. The firm pointed out that there are other account recovery options available if users are concerned about resetting passwords via email, such as SMS or appointing trusted friends.
"This is not a Facebook security issue – this is a vulnerability that only applies to a small number of people who have not updated their Hotmail email address tied to their Facebook account," said the spokesperson. "Nothing is more important to us than the safety and security of people on Facebook. We encourage people to make sure the e-mail address associated with their Facebook account is up to date and secure. We are constantly building and releasing new security features - from login notifications to one time passwords, and we encourage their use."
Microsoft has not responded to a request for comment.