Security Vulnerability in Microsoft .NET Passport

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

Oh no, not again...

[girl_geek_antinomy]

The depressing thing is, it's such a simple exploit...

Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.

When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?

Can someone explain this?

[jkrise]

"A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "

I fail to u'stand what Microsoft .NET Passport means. I only know Hotmail said:
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to .Net

Nobody seems to know what the hell .Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.

Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.

Re:FUD

[girl_geek_antinomy]

Instead if you're a legitimate user who's forgotten their password you're now f*cked. *sigh*. Nice to know things have improved then...

This should encourage anti-DRM folks

[hrbrmstr]

While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?

And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.

Constant vulnerabilities == no real DRM.

Re:FUD

[markov_chain]

Sure, *this one* is fixed, but it sure doesn't inspire confidence in the security of their service. Who knows if there are other holes left for crackers to exploit...

Flawed concept

[YrWrstNtmr]

And eventually, we will see a similar exploit on Sun's Liberty system as well.

The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.

Re:FUD

[Anonymous Coward]

fixed? they disabled resetting of passwords... that is a quick hack to stop the bleeding, but it does not get around the real issue of poor design. is it that hard to acutall think about what kind of input can come ina query string, and what should be done with it? arent they supposed to be professionals? i learned about this in a CS course, and i couldnt help thinking, "duh, any sensible person wouldnt be that stupid..." obviously i was wrong.

And the open source community...

[Anonymous Coward]

has come up with a viable alternative to Passport, right? One that will allow me to authenticate once to a single source and then access all my applications?

No?

Didn't think so.

Re:FUD

[CowboyBob500]

Fixed does not mean simply 404ing the offending page. There are many legitimate users now who cannot change their passwords. This is a cheap hack while they work out what the fsck to do about the real problem.

Bob

Re:Remember...

[ctellefsen]

It's a good thing that (according to M$ ads) that the hacker is an endangered species, so that there is noone around to exploit this exploit.

Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.

Welcome to the age of untrustworthy computing...

The Damage Has Been Done

[TubeSteak]

"Passport accounts are central repositories for a a person's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the customer's online accounts."

Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.

~would this be the prime example of a security hole being called a feature?~

I agree completely.

[@madeus]

I agree completely.

I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).

In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.

It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).

I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).

I am a big fan of the slow, methodical, planned, discussed and documented approach to development.

The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...

Re:What do people expect?

[PerryMason]

The problem with proactive auditing is that it takes time, and as well know, time is money. Personally I think its harsh to put the blame on the coders as I've been involved in alpha and beta testing quite a few apps over the years and almost without exception, the bean counters force the release of a product before the coders are happy with it.

Typically the bean counters want the cash rolling in as soon as possible on a new product (as they've seen nothing but a cash outflow) and in the software industry, they know that bugs are both inevitable, and unfortunately, for the most part, accepted so they're happy to release an incomplete product knowing that it won't stop people buying it. We won't see substantially bug-free code until software developers are held to the same standards of product reliability that we see in just about every other industry. Until then, there really isn't any reason to thoroughly audit your code. Just release it buggy as all hell and release Service Packs and Hotfixes. It works for the biggest software company on earth, so why shouldn't it for anyone else?

Re:Remember...

[beuges]

So does that mean they can get away with ignoring bugs in software that can expose personal details and credit card numbers to anyone?

I think that if they were aware of the problem (and they were, apparently the finder mailed them 10 times), chose not to fix it, and some poor person had their credit card number exposed and abused, I think that Microsoft should be taken to the cleaners. Online security is something that must constantly be looked at, and maintained and updated. Its for their own good, really - if they don't fix it, they'll end up the dumbasses, cos people will lose their trust in the Passport system, and use other means for online transactions.

Re:404 error

[jlanng]

It returns an HTTP status of 404, so it is a proper 404

Re:This should encourage anti-DRM folks

[Bob9113]

Even if M$ manages to get DRM out there, how riddled with holes will it be?

The problem is not whether it works - we all know that DRM is technically impossible (analog hole). The problem is that combined with the DMCA, DRM makes fair use illegal. If Passport were being used for copyright protection, it would be a federal crime to report this security vulnerability.

Re:I agree completely.

[Anonymous Coward]

Who's to say your system is any more secure?

There could be a dumb bug just waiting to be exploited but because (I assume) your system is not public then there probably have been no (or very simple) attacks on it.

Anyone can make a mistake. It's not just about the design. The implementation could have any number of bugs that would compromise security. Although I don't know what your testing practices are like, I can say most programmers do an inadequate amount of testing. You need to try to break into your own system using techniques never imagined.

Even if you did all that though, there's no telling what kind of bugs lie in wait.

Re:Remember...

[ConceptJunkie]

Why should Microsoft be "taken to the cleaners", when their EULA's state that any similarity between the software the sell and what they claim they are selling is purely coincidental.

See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."

They want it both ways, and they seem to have gotten it.

Re:"Alternative" to Passport

[Anonymous Coward]

then you need to make backups of the password file for mozilla becuase if you had a disk failure and you lost all of your random passwords then you would be screwed

Re:FUD

[N3WBI3]

So if I am an ISP and I have a hole in my service is unplugging the server a fix?? that is basically what they did. Now its the right thing to do (make sure nobody can chage **until** you have it fixed..

Re:MS announcement

[merchant_x]

So what's the correct address to report bugs to Microsoft? As you can see from this thread of posts several slashdotters are in the dark about this.
http://slashdot.org/comments.pl?sid=63519&c id=5909258
Please enlighten us.

Re:Remember...

[EvilTwinSkippy]

Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.

I think the theory is, that by having so much low-hanging fruit, M$ is hoping that the next generation of hackers will be as complacent as the present user base.

Well, at least take the shine off of 0w#!n@ a system. It used to be a challenge. Now its just annoying.

Re:Remember...

[Anonymous Coward]

Yeah, whenever M$ does something, the magazines and message boards are FULL of angry posts from CxO's and folks who are upset.

Then after a while, it all dies down, and nobody switches to Linux or does anything else about it.

Why?

Because IT COSTS TOO MUCH TO SWITCH. I see it all the time. My boss HATES microsoft but can't pay to move all the apps to Linux, and can't force the clients to switch.

Microsoft can do ALMOST anything and the worst that happens is they shed a few small business customers.

AVOID LOCK IN! If you're starting a business, base it around Free software with a few Macs and Windows on the edge, it costs A LOT LESS to move from one free software vendor to the other.