Shantanu's Blog

Database Consultant

May 26, 2003

MS Passport reveals credit card details
8 May 2003
Robert Lemos, CNET,,t295-s2134426,00.html

A serious security flaw in Microsoft's Passport service puts users' accounts, including their personal information and credit card numbers, at risk of being hijacked.
The flaw, in Passport's password recovery mechanism, allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late on Wednesday night on a security mailing list called Full Disclosure. The simplicity of the attack and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical.
"It is hardly an exploit or even vulnerability; it's just a flaw, in their Web-application logic," the person who posted the vulnerability said in an email to CNET "The flaw has been there since long time, I just discovered it recently," wrote the individual who identified himself as Muhammad Faisal Rauf Danka. He claimed to be a Pakistani security consultant and MBA candidate.
Microsoft moved quickly to prevent online vandals from exploiting the issue. The advisory was posted just before 8pm PDT, and by 11:30pm, the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.
The flaw allowed a single Web address -- or URL -- to be used to request a password reset from the Passport servers. The URL contains the email address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.
The security consultant also said that he had repeatedly sent email warnings to Microsoft's abuse and security addresses at to no avail. However, he didn't send an email to Microsoft's standard security contact point, "I tried it on my own account and I tried it on my friends' accounts, with full permission; it worked on all occasions," said Wayne Chang, a student at the University of Massachusetts at Amherst. "This is definitely a big security flaw."

Outage hits MSN Web sites
By Joe Wilcox
Staff Writer
May 12, 2002, 10:50 AM PT

Microsoft on Sunday afternoon restored its MSN Web sites and services that had been inaccessible most of the morning and left many users unable to access game, Web-based e-mail, chat, search and other features. Sunday's lack of access was the latest in a series of recent glitches affecting MSN Web sites or Passport online authentication services. Users could not access Microsoft's popular Game Zone Web site, nor could they log in to popular MSN chat rooms. Some Hotmail users also found they could not access the Passport log-in page. The outage also affected Internet Explorer 6 users, who discovered they could not search the Web using the default setting. IE 6, which is integrated into Windows XP, uses MSN for Web searches. CNET started receiving user complaints about the outage around 9:15 a.m PDT Sunday and later confirmed through testing that some kind of failure had occurred with a number of MSN Web sites or services. Most services appeared to have been restored early Sunday afternoon. Johnson was one of those users alerting CNET to the problem. He concluded that Microsoft had a problem with one of its primary backbone routers. Microsoft could not be reached for comment about the problems. Microsoft's .Net Messenger service appeared unaffected by the outage, as were the main MSN and Microsoft Web sites.

Security problems open Microsoft's Wallet
By Robert Lemos
Staff Writer
November 2, 2001, 5:10 PM PT

Software flaws in the security of Microsoft's Passport authentication system left consumers' financial data wide open, causing the software giant to remove a key service from the Internet to protect people from having their data stolen, a company representative acknowledged Friday.
By sending a Hotmail user a specially crafted e-mail, anyone could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications--say, a Web mail site and a financial site--are not rigorously checked for security.
It is possible to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15 minutes. Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, shows the extent of the problems Microsoft needs to overcome. "It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in his paper outlining the attack. Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing any danger that consumers could have had their information stolen. "Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategy group. Microsoft plans to shorten the time a person remains authenticated to about a minute, Sohn said. He added that the attack would not have been successful if the potential victim had been using Windows XP, Microsoft's new operating system.

New Hotmail Security Glitch Dismissed as 'Minor'
August 21, 2001
By Ed Sutherland
NewsFactor Network

Over the weekend, online e-zine Root Core Network announced it had discovered a flaw allowing Hotmail messages to be read using a well-crafted uniform resource locator (URL) of a target's message. For the exploit to work, however, a malicious hacker would need to know both the user's account name and the nine-digit ID number of the specific message that was to be read. That data would then need to be included in a long URL, according to published reports.
Microsoft said a hacker would need to search thousands of possible combinations before finding a valid message ID, say reports. The Redmond, Washington-based software giant termed the security breach a "proof-of-concept," useful only to people wanting to break into their own e-mail. After notifying Microsoft of the breach, the self-described security researchers released Hobo, a "Hotmail scanning bot" that automates the process of determining a usable message ID. The software reportedly can scan one ID number per second.
Microsoft said late Monday that it was taking the incident seriously and was working on increasing Hotmail security. That security is provided partly through Microsoft's controversial Passport software, which allows one-step access to Internet services. Earlier this month, a coalition of consumer and online privacy groups urged the government to investigate Passport's information-collection practices.

MSN Messenger Suffers Fourth Day of Outages
By Daniel F. DeLong
NewsFactor Network
July 6, 2001

Bill Gates' company was working Friday to resolve glitches that gave MSN Messenger users problems logging on to the system and caused some to lose access to their 'buddy' lists. Officials at Microsoft were hoping to restore full service sometime Friday to users of MSN Messenger, the company's free instant messaging software, after the system suffered its second major glitch this year. As early as Tuesday, some of MSN's 32 million users around the world reported having problems logging on to the system or losing access to their personal contacts, or so-called "buddy list." The company said late Wednesday that an unknown software glitch had affected service for about a third of MSN Messenger users, adding that it would be corrected that day. By late Thursday, however, the problem still had not been corrected, as Microsoft technicians worked feverishly into the morning hours. Last February, the Redmond, Washington-based company had problems with the servers that handle MSN Messenger after a hacker attack. Microsoft denied the problem for several days after the incident was first reported. This time Microsoft -- which is locked in fierce competition with AOL for Instant Messenger dominance -- tried to get in front of the embarrassing problem, saying that the reason for the glitch was not known but that the company was on top of it. "An extremely rare set of circumstances occurred when one of our database servers had a disk controller fail," Sarah Lefko, an MSN product manager, said in a statement. "The issue is hardware-related and MSN is working closely with our vendors and taking appropriate steps on the back-end to resolve the issue," she said. Despite the company's outward calm, users have been bombarding Microsoft with complaints that "buddy lists" have been lost and that they can't even use the Hotmail e-mail feature. Lefko told NewsFactor Network that the outage is not related to its Passport authentication service, the technology its e-mail customers use to log on to MSN services and other Web sites. She said that part of the database service and its backup both failed, adding that the "buddy lists" will be restored when the glitch is repaired.


June 2001   July 2001   January 2003   May 2003   September 2003   October 2003   December 2003   January 2004   February 2004   March 2004   April 2004   May 2004   June 2004   July 2004   August 2004   September 2004   October 2004   November 2004   December 2004   January 2005   February 2005   March 2005   April 2005   May 2005   June 2005   July 2005   August 2005   September 2005   October 2005   November 2005   December 2005   January 2006   February 2006   March 2006   April 2006   May 2006   June 2006   July 2006   August 2006   September 2006   October 2006   November 2006   December 2006   January 2007   February 2007   March 2007   April 2007   June 2007   July 2007   August 2007   September 2007   October 2007   November 2007   December 2007   January 2008   February 2008   March 2008   April 2008   July 2008   August 2008   September 2008   October 2008   November 2008   December 2008   January 2009   February 2009   March 2009   April 2009   May 2009   June 2009   July 2009   August 2009   September 2009   October 2009   November 2009   December 2009   January 2010   February 2010   March 2010   April 2010   May 2010   June 2010   July 2010   August 2010   September 2010   October 2010   November 2010   December 2010   January 2011   February 2011   March 2011   April 2011   May 2011   June 2011   July 2011   August 2011   September 2011   October 2011   November 2011   December 2011   January 2012   February 2012   March 2012   April 2012   May 2012   June 2012   July 2012   August 2012   October 2012   November 2012   December 2012   January 2013   February 2013   March 2013   April 2013   May 2013   June 2013   July 2013   September 2013   October 2013   January 2014   March 2014   April 2014   May 2014   July 2014   August 2014   September 2014   October 2014   November 2014   December 2014   January 2015   February 2015   March 2015   April 2015   May 2015   June 2015   July 2015   August 2015   September 2015   January 2016   February 2016   March 2016   April 2016   May 2016   June 2016   July 2016   August 2016   September 2016   October 2016   November 2016   December 2016   January 2017   February 2017   April 2017   May 2017   June 2017   July 2017   August 2017   September 2017   October 2017   November 2017   December 2017   February 2018   March 2018   April 2018   May 2018   June 2018   July 2018   August 2018   September 2018   October 2018   November 2018   December 2018   January 2019   February 2019   March 2019   April 2019   May 2019   July 2019   August 2019   September 2019   October 2019   November 2019   December 2019   January 2020   February 2020   March 2020   April 2020   May 2020   July 2020   August 2020   September 2020   October 2020   December 2020   January 2021   April 2021   May 2021   July 2021   September 2021   March 2022   October 2022   November 2022   March 2023   April 2023   July 2023   September 2023   October 2023   November 2023   April 2024   May 2024   June 2024  

This page is powered by Blogger. Isn't yours?