Security Vulnerability in Microsoft .NET Passport
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Remember folks, this is Trustworthy Computing! ;-)
Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!
/obvious
Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past...
...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....
In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.
We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!
"...the victim's accounts..."
;)
It's nice to see people are finally realising that Passport/Hotmail users are victims.
Nevrar
A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account
But that spam is personal to me. It's not for anyone else.
Summation 2
Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...
victim@hotmail.com or attacker@attacker.com is going to be really pissed...
I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !
Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.
If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...
Hotmail password hacker.doc
THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD
Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line
Step 2: The email body
In the first line: put the complete email address of the user whose password you want.
In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:
To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=
address@hotmail.com
your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword
"Live Free or Die." Don't like it? Then keep out of the USA