Passport's Pocket Picked

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

more info

[Leper]

ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:

Marc's Passport Advisory

Well so much for single sign-on

[geophile]

I really like this part:

In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.

XP Integration is evil

[jeeryg_flashaccess]

Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.

Re:XP Integration is evil

[Phil+Wherry]

Passport really isn't an application on your desktop machine, but MSN Messenger (which requires Passport) is. Messenger is a really irritating application in its own right. And it's actually even more irritating if you have signed up for Passport using a Hotmail account, since it feels compelled to notify you of waiting email at Hotmail every eight microseconds--and it's essentially impossible to keep Microsoft from spamming you with "special offers" that you must know about right away.

You can, however, uninstall it!

Have a look at the file c:\windows\inf\sysoc.inf

Then change the line that reads:


msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

to

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.

This is why...

[Amazing+Quantum+Man]

I never (knowingly) allow any site to keep my CCnumber and why I always use a "temporary" CC number (for example Amex Private Payments).

Re:What about PayPal etc.?

[Grand+Facade]

165 million people are using Hotmail

99% of statistics are wrong or misleading

Just like all those people who have installed windows media player, it is added to an IE upgrade by default.....

Yawn
RickB

Re:What about the other ways your CC # can be stol

[innocent_white_lamb]

Do you shred / burn them to stop someone from getting your CC #?

Actually, many people do just that.

That's not the major point, though. This "crack" will allow someone to, perhaps, manipulate your financial portfolio if it's set up through Passport. "What do you mean, I just bought 10,000 shares in Hot Girl Condos on margin?" Millions and billions of dollars there, at risk, if MS gets their way and that sort of thing is hooked through your Passport account.

Re:Who should really be concerned about this?

[rudedog]

It won't be Visa that eats the chargeback. If there is a chargeback, Visa passes it on to the merchant, and may also levy a fine against the merchant. All online purchases are treated as "no signature present" transactions, which means that the merchant is responsible for detecting fraudulent use.

FYI

[SmurfButcher+Bob]

The odd thing, however, is that these cookies that are set as a result of Passport authentication are, at times, unique to the browser window they were set in. If I open a new browser window, the cookies are not sent and I am not authenticated.

Think DRM tokens, e.g. pay per viewing instance.

Re:Another lesson to be learned from this

Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible.

In virtually every case that comes to mind, you're wrong. Security is NOT enhanced by reduandancy, reliability is. The more points there are to attack, the more vulnerable the system is. Hence, firewalls. Having many points of attack, all different, is NOT more secure, it just gives a wider variety of holes to drive a truck through. Hence, firewalls. So now you have Windows holes, Linux holes, Solaris holes, and god knows what else, all giving a succesful attacker a point of entry. Well done.

Even when applied to storing your data at multiple sites (which you seem to allude to) is hardly the panacea you think it is. So now bits and pieces of your identity are available to an attacker on a variety of systems. Maybe the one holding your mailing address is running a 2 year old Linux install. There is something to be said for very very few, well secured, highly available sites keeping/mirroring your data. If you had a big db to store in your company, would you run 10 database servers, each one holding 10 tables of your database (hey, it's secure!), or would you have one Big Ass Oracle server? No, you'd have one Big Ass Oracle server. And a backup/mirror server, and a data warehouse server.

Also remember, having your data scattered across many servers simply means many points of failure. I guess your data would be really secure if no one can get to it, hmm?