Passport's Pocket Picked 327
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
more info (Score:5, Informative)
Marc's Passport Advisory [znep.com]
Well so much for single sign-on (Score:5, Informative)
In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
XP Integration is evil (Score:5, Informative)
This is why... (Score:4, Informative)
Re:XP Integration is evil (Score:5, Informative)
You can, however, uninstall it!
Have a look at the file c:\windows\inf\sysoc.inf
Then change the line that reads:
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
to
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7
Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.
Re:What about PayPal etc.? (Score:2, Informative)
99% of statistics are wrong or misleading
Just like all those people who have installed windows media player, it is added to an IE upgrade by default.....
Yawn
RickB
Re:What about the other ways your CC # can be stol (Score:2, Informative)
Actually, many people do just that.
That's not the major point, though. This "crack" will allow someone to, perhaps, manipulate your financial portfolio if it's set up through Passport. "What do you mean, I just bought 10,000 shares in Hot Girl Condos on margin?" Millions and billions of dollars there, at risk, if MS gets their way and that sort of thing is hooked through your Passport account.
Re:Who should really be concerned about this? (Score:2, Informative)
FYI (Score:2, Informative)
The odd thing, however, is that these cookies that are set as a result of Passport authentication are, at times, unique to the browser window they were set in. If I open a new browser window, the cookies are not sent and I am not authenticated.
Think DRM tokens, e.g. pay per viewing instance.Re:Another lesson to be learned from this (Score:1, Informative)
In virtually every case that comes to mind, you're wrong. Security is NOT enhanced by reduandancy, reliability is. The more points there are to attack, the more vulnerable the system is. Hence, firewalls. Having many points of attack, all different, is NOT more secure, it just gives a wider variety of holes to drive a truck through. Hence, firewalls. So now you have Windows holes, Linux holes, Solaris holes, and god knows what else, all giving a succesful attacker a point of entry. Well done.
Even when applied to storing your data at multiple sites (which you seem to allude to) is hardly the panacea you think it is. So now bits and pieces of your identity are available to an attacker on a variety of systems. Maybe the one holding your mailing address is running a 2 year old Linux install. There is something to be said for very very few, well secured, highly available sites keeping/mirroring your data. If you had a big db to store in your company, would you run 10 database servers, each one holding 10 tables of your database (hey, it's secure!), or would you have one Big Ass Oracle server? No, you'd have one Big Ass Oracle server. And a backup/mirror server, and a data warehouse server.
Also remember, having your data scattered across many servers simply means many points of failure. I guess your data would be really secure if no one can get to it, hmm?