Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passport's Pocket Picked

Posted by michael on from the department-of-insecurity dept.

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

4 of 327 comments (clear)

  1. more info by Leper · · Score: 5, Informative

    ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:

    Marc's Passport Advisory

  2. Well so much for single sign-on by geophile · · Score: 5, Informative

    I really like this part:

    In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

    While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

    "Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.

  3. XP Integration is evil by jeeryg_flashaccess · · Score: 5, Informative

    Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.

    --
    Life is like pants... fit in or you don't fit in.
    1. Re:XP Integration is evil by Phil+Wherry · · Score: 5, Informative

      Passport really isn't an application on your desktop machine, but MSN Messenger (which requires Passport) is. Messenger is a really irritating application in its own right. And it's actually even more irritating if you have signed up for Passport using a Hotmail account, since it feels compelled to notify you of waiting email at Hotmail every eight microseconds--and it's essentially impossible to keep Microsoft from spamming you with "special offers" that you must know about right away.

      You can, however, uninstall it!

      Have a look at the file c:\windows\inf\sysoc.inf

      Then change the line that reads:


      msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

      to

      msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

      Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.