Slashdot Mirror


Security Vulnerability in Microsoft .NET Passport

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

16 of 433 comments (clear)

  1. Remember... by stu_coates · · Score: 5, Funny

    Remember folks, this is Trustworthy Computing! ;-)

    1. Re:Remember... by Gortbusters.org · · Score: 5, Funny

      That's one degree of difference with .NET!

      --
      --------
      Free your mind.
  2. Oh my God (Mad scramble) by LookSharp · · Score: 5, Funny

    Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

    Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious

    1. Re:Oh my God (Mad scramble) by Anonymous Coward · · Score: 5, Funny

      I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

      Don't bother, I just did it for you.

  3. As lame as it sounds... by Anonymous Coward · · Score: 5, Funny

    ...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....

  4. Security flaw in Passport!!!! by grahamlee · · Score: 5, Funny

    In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.

  5. The Microsoft Information Minster Says: by retards · · Score: 5, Funny

    We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!

  6. good by Nevrar · · Score: 5, Funny

    "...the victim's accounts..."

    It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)

    --
    Nevrar
  7. Oh no by Rik+Sweeney · · Score: 5, Funny

    A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

    But that spam is personal to me. It's not for anyone else.

  8. Well, at least now I know... by johannesg · · Score: 5, Funny
    ...where I don't want to go today.

    Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...

  9. Whoever has got... by archetypeone · · Score: 5, Funny

    victim@hotmail.com or attacker@attacker.com is going to be really pissed...

  10. Re:Can someone explain this? by Anonymous Coward · · Score: 5, Funny

    I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !

  11. Add one to the pile by Ashyukun · · Score: 5, Funny

    Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.

    1. Re:Add one to the pile by dubstop · · Score: 5, Funny

      That's how it starts.

      In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.

      Where do you want to go today?

  12. Re:Ruh Roh Raggy by archen · · Score: 5, Funny

    If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...

  13. Another Hotmail Password Hack found on Kazaa by doublem · · Score: 5, Funny

    Hotmail password hacker.doc

    THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD

    Step 1:
    send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line

    Step 2: The email body
    In the first line: put the complete email address of the user whose password you want.

    In the 5th line, type the email address and the login (pass) you want the password sent to,
    here is an exemple:

    To: Robot_pass_finder@hotmail.com
    Subject: PW: fetchpass
    CC.________________ BCC.___________________
    =-email body-=

    address@hotmail.com

    your email adress here example.: myemail@hotmail.com
    your pass here example.: mypassword

    --
    "Live Free or Die." Don't like it? Then keep out of the USA