MS Passport reveals credit card details
8 May 2003
Robert Lemos, CNET News.com
A serious security flaw in Microsoft's Passport service puts users' accounts, including their personal information and credit card numbers, at risk of being hijacked.
The flaw, in Passport's password recovery mechanism, allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late on Wednesday night on a security mailing list called Full Disclosure. The simplicity of the attack and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical.
"It is hardly an exploit or even vulnerability; it's just a flaw, in their Web-application logic," the person who posted the vulnerability said in an email to CNET News.com. "The flaw has been there since long time, I just discovered it recently," wrote the individual who identified himself as Muhammad Faisal Rauf Danka. He claimed to be a Pakistani security consultant and MBA candidate.
Microsoft moved quickly to prevent online vandals from exploiting the issue. The advisory was posted just before 8pm PDT, and by 11:30pm, the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.
The flaw allowed a single Web address -- or URL -- to be used to request a password reset from the Passport servers. The URL contains the email address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.
The security consultant also said that he had repeatedly sent email warnings to Microsoft's abuse and security addresses at Hotmail.com to no avail. However, he didn't send an email to Microsoft's standard security contact point, email@example.com. "I tried it on my own account and I tried it on my friends' accounts, with full permission; it worked on all occasions," said Wayne Chang, a student at the University of Massachusetts at Amherst. "This is definitely a big security flaw."
Outage hits MSN Web sites
By Joe Wilcox
May 12, 2002, 10:50 AM PT
Microsoft on Sunday afternoon restored its MSN Web sites and services that had been inaccessible most of the morning and left many users unable to access game, Web-based e-mail, chat, search and other features. Sunday's lack of access was the latest in a series of recent glitches affecting MSN Web sites or Passport online authentication services. Users could not access Microsoft's popular Game Zone Web site, nor could they log in to popular MSN chat rooms. Some Hotmail users also found they could not access the Passport log-in page. The outage also affected Internet Explorer 6 users, who discovered they could not search the Web using the default setting. IE 6, which is integrated into Windows XP, uses MSN for Web searches. CNET News.com started receiving user complaints about the outage around 9:15 a.m PDT Sunday and later confirmed through testing that some kind of failure had occurred with a number of MSN Web sites or services. Most services appeared to have been restored early Sunday afternoon. Johnson was one of those users alerting CNET News.com to the problem. He concluded that Microsoft had a problem with one of its primary backbone routers. Microsoft could not be reached for comment about the problems. Microsoft's .Net Messenger service appeared unaffected by the outage, as were the main MSN and Microsoft Web sites.
Security problems open Microsoft's Wallet
By Robert Lemos
November 2, 2001, 5:10 PM PT
Software flaws in the security of Microsoft's Passport authentication system left consumers' financial data wide open, causing the software giant to remove a key service from the Internet to protect people from having their data stolen, a company representative acknowledged Friday.
By sending a Hotmail user a specially crafted e-mail, anyone could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications--say, a Web mail site and a financial site--are not rigorously checked for security.
It is possible to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15 minutes. Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, shows the extent of the problems Microsoft needs to overcome. "It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in his paper outlining the attack. Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing any danger that consumers could have had their information stolen. "Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategy group. Microsoft plans to shorten the time a person remains authenticated to about a minute, Sohn said. He added that the attack would not have been successful if the potential victim had been using Windows XP, Microsoft's new operating system.
New Hotmail Security Glitch Dismissed as 'Minor'
August 21, 2001
By Ed Sutherland
Over the weekend, online e-zine Root Core Network announced it had discovered a flaw allowing Hotmail messages to be read using a well-crafted uniform resource locator (URL) of a target's message. For the exploit to work, however, a malicious hacker would need to know both the user's account name and the nine-digit ID number of the specific message that was to be read. That data would then need to be included in a long URL, according to published reports.
Microsoft said a hacker would need to search thousands of possible combinations before finding a valid message ID, say reports. The Redmond, Washington-based software giant termed the security breach a "proof-of-concept," useful only to people wanting to break into their own e-mail. After notifying Microsoft of the breach, the self-described security researchers released Hobo, a "Hotmail scanning bot" that automates the process of determining a usable message ID. The software reportedly can scan one ID number per second.
Microsoft said late Monday that it was taking the incident seriously and was working on increasing Hotmail security. That security is provided partly through Microsoft's controversial Passport software, which allows one-step access to Internet services. Earlier this month, a coalition of consumer and online privacy groups urged the government to investigate Passport's information-collection practices.
MSN Messenger Suffers Fourth Day of Outages
By Daniel F. DeLong
July 6, 2001
Bill Gates' company was working Friday to resolve glitches that gave MSN Messenger users problems logging on to the system and caused some to lose access to their 'buddy' lists. Officials at Microsoft were hoping to restore full service sometime Friday to users of MSN Messenger, the company's free instant messaging software, after the system suffered its second major glitch this year. As early as Tuesday, some of MSN's 32 million users around the world reported having problems logging on to the system or losing access to their personal contacts, or so-called "buddy list." The company said late Wednesday that an unknown software glitch had affected service for about a third of MSN Messenger users, adding that it would be corrected that day. By late Thursday, however, the problem still had not been corrected, as Microsoft technicians worked feverishly into the morning hours. Last February, the Redmond, Washington-based company had problems with the servers that handle MSN Messenger after a hacker attack. Microsoft denied the problem for several days after the incident was first reported. This time Microsoft -- which is locked in fierce competition with AOL for Instant Messenger dominance -- tried to get in front of the embarrassing problem, saying that the reason for the glitch was not known but that the company was on top of it. "An extremely rare set of circumstances occurred when one of our database servers had a disk controller fail," Sarah Lefko, an MSN product manager, said in a statement. "The issue is hardware-related and MSN is working closely with our vendors and taking appropriate steps on the back-end to resolve the issue," she said. Despite the company's outward calm, users have been bombarding Microsoft with complaints that "buddy lists" have been lost and that they can't even use the Hotmail e-mail feature. Lefko told NewsFactor Network that the outage is not related to its Passport authentication service, the technology its e-mail customers use to log on to MSN services and other Web sites. She said that part of the database service and its backup both failed, adding that the "buddy lists" will be restored when the glitch is repaired.