Passport's Pocket Picked

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

Did anyone not see this coming?

[chronos2266]

I remember a year or two ago a person could send you an email and obtain your hotmail account. Hotmail is a gaping hole in the passport service.

With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.

I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.

Re:Did anyone not see this coming?

[Jason+Earl]

Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?

In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.

single point of failure

[Pope]

MS seems to have Single Point of Failure problems in a lot of things: the Registry, any one?

Re:What happens when someone steals the basket wit

[MaxwellStreet]

Interestingly, this is exactly what will happen.

Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.

I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.

The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.

Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.

What about PayPal etc.?

[byronne]

Maybe I'm being stupid here, but what's the diff between Passport and PayPal, and why hasn't PayPal been a crack target?

Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...

Passport liability

[stox]

I haven't read the pasport user's agreement, but would I be incorrect in guessing that Microsoft takes no responsibility for the safety of one's personal data? We're sorry we ruined your life, but if you read the fine print you will see that we are not responsible for anything. When will Microsoft be held responsible for it's actions?

Re:Burning Reichstag

[Shotgun]

Good conspiracy theory, but I would have to say look at history in this case. MS is threatened. Sales revenue is in the toilet and the outlook for future sales is even bleaker. They have to come up with a strategy and implement it fast. What do they do?

What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.

Course, I won't be buying it then either. 8*)

Another lesson to be learned from this

[Paul+Boven]

This shows that your private information may not be in the best hands when entrusted to a company
like Microsoft. But there are other 'takers'. Some even with the best of intentions.

If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.

Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.

I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.

No one knows, or cares

[xtremex]

The typical user does NOT get this information.
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.