Security Vulnerability in Microsoft .NET Passport 440
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Oh no, not again... (Score:5, Insightful)
Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.
When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?
Can someone explain this? (Score:5, Insightful)
I fail to u'stand what Microsoft
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to
Nobody seems to know what the hell
Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.
Re:FUD (Score:3, Insightful)
This should encourage anti-DRM folks (Score:5, Insightful)
And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.
Constant vulnerabilities == no real DRM.
Re:FUD (Score:3, Insightful)
Flawed concept (Score:3, Insightful)
The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
Re:FUD (Score:3, Insightful)
And the open source community... (Score:0, Insightful)
No?
Didn't think so.
Re:FUD (Score:5, Insightful)
Bob
Re:Remember... (Score:5, Insightful)
Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.
Welcome to the age of untrustworthy computing...
The Damage Has Been Done (Score:5, Insightful)
Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.
~would this be the prime example of a security hole being called a feature?~
I agree completely. (Score:5, Insightful)
I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).
In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.
It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).
I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).
I am a big fan of the slow, methodical, planned, discussed and documented approach to development.
The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...
Re:What do people expect? (Score:5, Insightful)
Typically the bean counters want the cash rolling in as soon as possible on a new product (as they've seen nothing but a cash outflow) and in the software industry, they know that bugs are both inevitable, and unfortunately, for the most part, accepted so they're happy to release an incomplete product knowing that it won't stop people buying it. We won't see substantially bug-free code until software developers are held to the same standards of product reliability that we see in just about every other industry. Until then, there really isn't any reason to thoroughly audit your code. Just release it buggy as all hell and release Service Packs and Hotfixes. It works for the biggest software company on earth, so why shouldn't it for anyone else?
Re:Remember... (Score:2, Insightful)
I think that if they were aware of the problem (and they were, apparently the finder mailed them 10 times), chose not to fix it, and some poor person had their credit card number exposed and abused, I think that Microsoft should be taken to the cleaners. Online security is something that must constantly be looked at, and maintained and updated. Its for their own good, really - if they don't fix it, they'll end up the dumbasses, cos people will lose their trust in the Passport system, and use other means for online transactions.
Re:404 error (Score:2, Insightful)
Re:This should encourage anti-DRM folks (Score:5, Insightful)
The problem is not whether it works - we all know that DRM is technically impossible (analog hole). The problem is that combined with the DMCA, DRM makes fair use illegal. If Passport were being used for copyright protection, it would be a federal crime to report this security vulnerability.
Re:I agree completely. (Score:1, Insightful)
There could be a dumb bug just waiting to be exploited but because (I assume) your system is not public then there probably have been no (or very simple) attacks on it.
Anyone can make a mistake. It's not just about the design. The implementation could have any number of bugs that would compromise security. Although I don't know what your testing practices are like, I can say most programmers do an inadequate amount of testing. You need to try to break into your own system using techniques never imagined.
Even if you did all that though, there's no telling what kind of bugs lie in wait.
Re:Remember... (Score:5, Insightful)
See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."
They want it both ways, and they seem to have gotten it.
Re:"Alternative" to Passport (Score:1, Insightful)
Re:FUD (Score:3, Insightful)
Re:MS announcement (Score:2, Insightful)
http://slashdot.org/comments.pl?sid=63519&
Please enlighten us.
Re:Remember... (Score:3, Insightful)
I think the theory is, that by having so much low-hanging fruit, M$ is hoping that the next generation of hackers will be as complacent as the present user base.
Well, at least take the shine off of 0w#!n@ a system. It used to be a challenge. Now its just annoying.
Re:Remember... (Score:1, Insightful)
Then after a while, it all dies down, and nobody switches to Linux or does anything else about it.
Why?
Because IT COSTS TOO MUCH TO SWITCH. I see it all the time. My boss HATES microsoft but can't pay to move all the apps to Linux, and can't force the clients to switch.
Microsoft can do ALMOST anything and the worst that happens is they shed a few small business customers.
AVOID LOCK IN! If you're starting a business, base it around Free software with a few Macs and Windows on the edge, it costs A LOT LESS to move from one free software vendor to the other.