Slashdot Mirror
Security Vulnerability in Microsoft .NET Passport
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
The depressing thing is, it's such a simple exploit...
Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.
When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?
"A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "
.NET Passport means. I only know Hotmail said: .Net
.Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.
I fail to u'stand what Microsoft
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to
Nobody seems to know what the hell
Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.
If you keep throwing chairs, one day you'll break windows....
While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?
And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.
Constant vulnerabilities == no real DRM.
Mind the gap...
Fixed does not mean simply 404ing the offending page. There are many legitimate users now who cannot change their passwords. This is a cheap hack while they work out what the fsck to do about the real problem.
Bob
Listen to my latest album here
It's a good thing that (according to M$ ads) that the hacker is an endangered species, so that there is noone around to exploit this exploit.
Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.
Welcome to the age of untrustworthy computing...
Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.
~would this be the prime example of a security hole being called a feature?~
[Fuck Beta]
o0t!
I agree completely.
I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).
In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.
It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).
I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).
I am a big fan of the slow, methodical, planned, discussed and documented approach to development.
The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...
Why should Microsoft be "taken to the cleaners", when their EULA's state that any similarity between the software the sell and what they claim they are selling is purely coincidental.
See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."
They want it both ways, and they seem to have gotten it.
You are in a maze of twisty little passages, all alike.