Security Vulnerability in Microsoft .NET Passport 440
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
404 error (Score:2, Informative)
Re:Remember... (Score:5, Informative)
nu.nl [nu.nl] for people knowing how to read dutch (no NOT german)..
A legitimate use? (Score:2, Informative)
FUD (Score:0, Informative)
May I suggest the headline on the article be changed from "Security Vulnerability in Microsoft
Re:Can someone explain this? (Score:1, Informative)
What's really scary... (Score:1, Informative)
Re:How do you contact Microsoft? (Score:2, Informative)
404 (Score:2, Informative)
RTFA (Score:2, Informative)
Re:Remember... (Score:5, Informative)
However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.
The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.
MS-Passport and those that cannot/willnot read (Score:5, Informative)
There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz [com.com] to last through september.
We'll see if they last [pcmag.com] that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.
This is not new (Score:5, Informative)
It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.
Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.
What breed of idiot are you? (Score:5, Informative)
Re:thoughts (Score:5, Informative)
If you went to:
https://register.passport.net/emailpwdreset.srf
and replaced the victim address to a real user, and the attacker@attacker.com to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.
MS announcement (Score:3, Informative)
Re:FUD (Score:2, Informative)
For non-Hotmail e-mail addresses there exists an option to receive change instructions by e-mail. The URL that's generated on those pages is similar to the one in the exploit, yet entering "attacker" address other than "victim" address doesn't result in an e-mail sent. If the two addresses in the URL match that on the account the e-mail appears to be sent.
Looks like they indeed patched, although there should't be two addresses in the URL or even better, they shouldn't be passing them in URL at all.
8:52am CST - MS turns the vunerability back on. (Score:2, Informative)
Re:Remember... (Score:3, Informative)
his name is probably (Score:5, Informative)
Do a search for Ashyukun on google.(www.nhmk.com/nes/ )
also at
(http://216.239.33.104/search?q=cache:q1XY1gcmA
Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?
Re:Can someone explain this? (Score:3, Informative)
But the short answer to your question is that yes, the overkill of .NET branding has muddied and confused the perception of what .NET is. But hey, everyone in the world knows the name, so mission accomplished?
Re:How do you contact Microsoft? (Score:3, Informative)
So, in case you guys need to contact Steve, you have his email address now!
Re:Remember... (Score:4, Informative)
YES Re:How do I close a .Net Passport account? (Score:2, Informative)
You click on that, agree to their terms and close your account right there in three clicks.
Goodluck