Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passport's Pocket Picked

Posted by michael on from the department-of-insecurity dept.

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

9 of 327 comments (clear)

  1. more info by Leper · · Score: 5, Informative

    ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:

    Marc's Passport Advisory

  2. Well so much for single sign-on by geophile · · Score: 5, Informative

    I really like this part:

    In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

    While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

    "Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.

  3. XP Integration is evil by jeeryg_flashaccess · · Score: 5, Informative

    Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.

    --
    Life is like pants... fit in or you don't fit in.
    1. Re:XP Integration is evil by Phil+Wherry · · Score: 5, Informative

      Passport really isn't an application on your desktop machine, but MSN Messenger (which requires Passport) is. Messenger is a really irritating application in its own right. And it's actually even more irritating if you have signed up for Passport using a Hotmail account, since it feels compelled to notify you of waiting email at Hotmail every eight microseconds--and it's essentially impossible to keep Microsoft from spamming you with "special offers" that you must know about right away.

      You can, however, uninstall it!

      Have a look at the file c:\windows\inf\sysoc.inf

      Then change the line that reads:


      msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

      to

      msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

      Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.

  4. This is why... by Amazing+Quantum+Man · · Score: 4, Informative

    I never (knowingly) allow any site to keep my CCnumber and why I always use a "temporary" CC number (for example Amex Private Payments).

    --
    Fascism starts when the efficiency of the government becomes more important than the rights of the people.
  5. Re:What about PayPal etc.? by Grand+Facade · · Score: 2, Informative

    165 million people are using Hotmail

    99% of statistics are wrong or misleading

    Just like all those people who have installed windows media player, it is added to an IE upgrade by default.....

    Yawn
    RickB

    --
    Rick B.
  6. Re:What about the other ways your CC # can be stol by innocent_white_lamb · · Score: 2, Informative

    Do you shred / burn them to stop someone from getting your CC #?

    Actually, many people do just that.

    That's not the major point, though. This "crack" will allow someone to, perhaps, manipulate your financial portfolio if it's set up through Passport. "What do you mean, I just bought 10,000 shares in Hot Girl Condos on margin?" Millions and billions of dollars there, at risk, if MS gets their way and that sort of thing is hooked through your Passport account.

    --
    If you're a zombie and you know it, bite your friend!
  7. Re:Who should really be concerned about this? by rudedog · · Score: 2, Informative

    It won't be Visa that eats the chargeback. If there is a chargeback, Visa passes it on to the merchant, and may also levy a fine against the merchant. All online purchases are treated as "no signature present" transactions, which means that the merchant is responsible for detecting fraudulent use.

  8. FYI by SmurfButcher+Bob · · Score: 2, Informative

    The odd thing, however, is that these cookies that are set as a result of Passport authentication are, at times, unique to the browser window they were set in. If I open a new browser window, the cookies are not sent and I am not authenticated.

    Think DRM tokens, e.g. pay per viewing instance.
    --

    help me i've cloned myself and can't remember which one I am