(Microsoft) Passport flaw leads to password gambit

CNET News.com ^ | 2003/05/08 | Robert Lemos

[TechJunkYard]

Passport flaw leads to password gambit By Robert Lemos Staff Writer, CNET News.com May 8, 2003, 12:15 AM PT A serious security flaw in Microsoft's Passport service put customers' accounts, including their personal information and credit card numbers, at risk of being hijacked. The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure. The simplicity of the attack method and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical. "It is hardly an exploit or even vulnerability; it's just a flaw, in their Web-application logic," the person who posted the vulnerability said in an e-mail to CNET News.com. "The flaw has been there since a long time. I just discovered it recently," wrote the individual who identified himself as Muhammad Faisal Rauf Danka. He claimed to be a Pakistani security consultant and M.B.A. candidate. Microsoft has touted Passport as a technological centerpiece in its Web services future. Passport accounts are central repositories for a person's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the customer's online accounts. Microsoft moved quickly to prevent online vandals from exploiting the issue, and posted its advisory just before 8 p.m. PDT. By 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, a spokesman for the company. The flaw allowed a single Web address--or URL--to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account. Danka claims to have found the issue after a friend's account had been hacked. "Later, my friend gave the 'attacker' my passport address as a challenge, and mine was compromised as well," he wrote in the e-mail. Not long after, he figured out how the attacker had compromised the accounts. The security consultant also said that he had repeatedly sent e-mail warnings to Microsoft's abuse and security addresses at Hotmail.com to no avail. However, he didn't send an e-mail to Microsoft's standard security contact point, secure@microsoft.com. It wasn't clear Wednesday night whether the flaw affected all Passport accounts, or a smaller subset of accounts. Several security experts confirmed that the flaw could be exploited in the manner described by Danka. "I tried it on my own account and I tried it on my friends' accounts, with full permission; it worked on all occasions," said Wayne Chang, a student at the University of Massachusetts at Amherst. "This is definitely a big security flaw." The issue couldn't be confirmed by everyone. In some cases, security experts didn't get an e-mail back from the server. "I just tried again, and have not yet received an e-mail with the change password link in it," Marc Slemko, a Seattle-area software engineer, wrote to CNET News.com in an e-mail. "That either means it is much slower now or has been disabled." The engineer believed Microsoft would rally the security teams to handle the vulnerability, as the issue had enormous implications for customers.

[TechJunkYard]

As the note in the SecurityFocus "Full-Disclosure" mailing list says, It is so simple that it is funny.

SecurityTracker note here.

Not a well-thought-out password reset scheme, IMHO.

[Yo-Yo]

Not a well-thought-out password reset scheme, IMHO.

Microsoft and well-though-out is an oxymoron.

[Richard Kimball]

Wow. Usually these hacks go right over my head, as I'm not that much of an IT guy. This one IS so simple it's funny. I am so glad I don't have anything with MS but a hotmail account, now.

[EggsAckley]

Interesting. MSN "lost" my password last week. When I was allowed to put in a new one, I just used the old one, and voila I was back in. I hate MSN. Hotmail.com was cool before MSN took over. Now it's a megolithic cumbersome website.

[Dominic Harr]

One login to rule them all . . . and they're selling this as an eWallet, a one-stop login for all shopping on the web. There are people out there who were foolish enough to put their credit card info into Passport.NET.

This is so simple, it's amazing. Frightening, beautiful and amazing.

[dark_lord]

The flaw allowed a single Web address--or URL--to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.

But...but...Microsoft Rules! It must have been an infiltration of evil Linux/Unix types who created this mindbogglingly stupid piece of processing logic!

[stainlessbanner]

bump

[Paleo Conservative]

A serious security flaw in Microsoft's Passport service put customers' accounts, including their personal information and credit card numbers, at risk of being hijacked.

Don't tell me people actually put their credit card numbers in Passport's database. If the label says Microsoft, I don't trust the security. The scary thing is that the next generation of air craft carriers is going to depend on Microsoft Windows to run everything aboard ship.

[TechJunkYard]

Don't tell me people actually put their credit card numbers in Passport's database.

Well, sure!

.NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.

What's there to worry about? MS says it's perfectly safe! ;-)

[steve-b]

Trusting computer security to Microsoft is like trusting defense of Western Civilization to France.

[Frumious Bandersnatch]

Now you're getting nasty...

[Buckwheats]

Or to Clinton.

[TechJunkYard]

[TechJunkYard]

Story from The Register

$2 trillion fine for Microsoft security snafu?

By Ashlee Vance in San Francisco

Posted: 08/05/2003 at 22:11 GMT

Microsoft's latest security lapse with its Passport information service could trigger a $2.2 trillion fine on the company courtesy of the US government.

Microsoft on Thursday admitted that a flaw in the password reset tool of its Passport service could compromise the information stored on all 200 million users. It scampered to post a fix and is looking into potential exploits, but the damage to Microsoft may already have been done.

The Federal Trade Commission last year demanded that Microsoft improve its Passport security or face stiff fines of up to $11,000 per violation. Redmond promised to work harder to protect consumer information and launched it's Trustworthy Computing initiative to put regulators' minds at ease.

Well, the FTC is looking into the Passport breach and could slap Microsoft with a fine of $2.2 trillion to cover all 200 million violated users.

"If we were to find that they didn't take reasonable safeguards to protect the information, that could be an order violation," Jessica Rich, assistant director for financial practices at the FTC, told the AP.

The flaw was discovered close to four minutes after security researcher Muhammad Faisal Rauf Danka set to work on Passport. He was able to access Passport accounts at will by typing "emailpwdreset" into a URL that has the e-mail address of a user account and the address where a reset message can be sent.

A number of people claim to have exploited the flaw on their own accounts and those of friends. With permission from their comrades, of course.

Microsoft sent out a warning by 8 p.m. last night and then plugged the hole three hours later.

The company is very upset about the problem, as evidenced by Microsoft product manager Adam Sohn's comment to CNET.

"Whatever," Sohn said.

Actually, he did not say that, but his real remarks were less than compelling.

"You live and learn," Sohn said. "We will obviously take a hard look to make sure that if something is sent through the nonstandard channels, and it is real, we are all over it."

Live and learn? Can we afford to wait for Microsoft to crawl toward secure code or is password security one of those things we should learn to live without? ®

Related Stories
To patch or not to patch
Kerberos Redux?
Linux and DRM - succeeding where MS failed?
MS mulls external testing for security patches

[octobersky]

bttt

[FierceDraka]

I have a simple solution: Don't use Passport!

[FierceDraka]

The scary thing is that the next generation of air craft carriers is going to depend on Microsoft Windows to run everything aboard ship.

Oh. My. God. You have got to be kidding, Paleo. Just what we need - the Blue Screen of Death on every monitor on the ship during combat operations. If that happens, Microsoft is over, IMO.

[ShadowAce]

So much for their $40 billion cash reserve... :)

[Dominic Harr]

I have a simple solution: Don't use Passport!

Let's hope that stays a solution.

Microsoft had planned to bribe/coerce/etc all of the big sites to use Passport. Several already do as on option.

With billions in cash, you have to be aware of the power that much money can bring to bear. Especially from a company already convicted of so many counts of fraud, coercion and other illegal behaviors.