Security Vulnerability in Microsoft .NET Passport
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Remember folks, this is Trustworthy Computing! ;-)
Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!
/obvious
Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past...
...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....
In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.
We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!
unsuccessful attempts to contact Microsoft.
It's not their fault Outlook kept crashing, right?
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Holy Crap!
.NET, there's only one degree of seperation between me and evil crackers.
If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.
With
-B
"...the victim's accounts..."
;)
It's nice to see people are finally realising that Passport/Hotmail users are victims.
Nevrar
A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account
But that spam is personal to me. It's not for anyone else.
Summation 2
Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...
victim@hotmail.com or attacker@attacker.com is going to be really pissed...
I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !
Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.
or just go for abuse@hotmail.com.
Rus
Cheap UK and US VPS
Do they actually have a procedure to inform them when things are broken?
/. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.
As far as i'm aware, they have a guy who just keeps clicking reload on the
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
That reminds me of the time I and a friend noticed a free mail provider that had forgotten to reserve certain interesting (to say the least) addresses.
:-)
I got webmaster@... and I believe my friend got administrator@...
I don't know if my friend got any mail, but I got a lot of interesting messages until I got bored and stopped checking it
Now, before any of you start bashing me for being irresponsible, I did try to help out the users who sent me mail. Mostly I just told them who to really contact.
I did get carried away a couple of times though. Once I decided to reply to a spam complaint and thanked them for the nice porn links they forwarded to me. They never responded, funny thing.
(this posted anonymously for obvious reasons)
Mechanic: We fixed your brakes... they no longer make that awful screeching sound.
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.
I take drugs seriously.
It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).
.Net will be re-activated.
Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport
This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.
If you keep throwing chairs, one day you'll break windows....
Hotmail password hacker.doc
THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD
Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line
Step 2: The email body
In the first line: put the complete email address of the user whose password you want.
In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:
To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=
address@hotmail.com
your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword
"Live Free or Die." Don't like it? Then keep out of the USA