Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Microsoft

Security Vulnerability in Microsoft .NET Passport 440

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
This discussion has been archived. No new comments can be posted.

Security Vulnerability in Microsoft .NET Passport

Comments Filter:
  • Remember... (Score:5, Funny)

    by stu_coates ( 156061 ) * on Thursday May 08, 2003 @08:16AM (#5909141)
    Remember folks, this is Trustworthy Computing! ;-)
    • Re:Remember... (Score:5, Informative)

      by Anonymous Coward on Thursday May 08, 2003 @08:20AM (#5909160)
      according to a dutch news site this hole was fixed shortly after the posting... So thats the way to talk to microsoft..... [] for people knowing how to read dutch (no NOT german)..
    • by rf0 ( 159958 )
      I wouldn't trust them to feed my fish.

    • Re:Remember... (Score:5, Insightful)

      by ctellefsen ( 625088 ) on Thursday May 08, 2003 @08:40AM (#5909261)
      It's a good thing that (according to M$ ads) that the hacker is an endangered species, so that there is noone around to exploit this exploit.

      Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.

      Welcome to the age of untrustworthy computing...

      • Re:Remember... (Score:5, Interesting)

        by ConceptJunkie ( 24823 ) on Thursday May 08, 2003 @10:38AM (#5910036) Homepage Journal
        But where's the public outrage?

        We on /. regularly vent our spleens (including me, and I'm a Microsoft user myself) about this blatantly bad situation, but Microsoft continues to prevail, and except for the occasional story, there really seems to be no negative impact on their business (much of which seems to be spinning their abysmal record in "trustworthiness").

        Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.
        • Re:Remember... (Score:3, Insightful)

          Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.

          I think the theory is, that by having so much low-hanging fruit, M$ is hoping that the next generation of hackers will be as complacent as the present user base.

          Well, at least take the shine off of 0w#!n@ a system. It used to be a challenge. Now its just annoying.

    • by ( 637314 ) on Thursday May 08, 2003 @08:40AM (#5909263) Homepage Journal
      That's one degree of difference with .NET!
    • Re:Remember... (Score:5, Informative)

      by m00nun1t ( 588082 ) on Thursday May 08, 2003 @08:52AM (#5909328) Homepage
      I fully agree this passport problem is a lame & unexcusable fault that should never, ever have happened.

      However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

      The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.
      • Re:Remember... (Score:2, Insightful)

        by beuges ( 613130 )
        So does that mean they can get away with ignoring bugs in software that can expose personal details and credit card numbers to anyone?

        I think that if they were aware of the problem (and they were, apparently the finder mailed them 10 times), chose not to fix it, and some poor person had their credit card number exposed and abused, I think that Microsoft should be taken to the cleaners. Online security is something that must constantly be looked at, and maintained and updated. Its for their own good, really
        • Re:Remember... (Score:5, Insightful)

          by ConceptJunkie ( 24823 ) on Thursday May 08, 2003 @10:34AM (#5909999) Homepage Journal
          Why should Microsoft be "taken to the cleaners", when their EULA's state that any similarity between the software the sell and what they claim they are selling is purely coincidental.

          See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."

          They want it both ways, and they seem to have gotten it.

    • by mbourgon ( 186257 ) on Thursday May 08, 2003 @09:16AM (#5909448) Homepage
      MS has admitted that Trustworthy Computing has nothing to do with security. It's all about whether you trust Microsoft. Do you trust them enough to give them money? If so, they've met their goals.
  • by LookSharp ( 3864 ) on Thursday May 08, 2003 @08:18AM (#5909149)
    Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

    Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious
    • by Anonymous Coward on Thursday May 08, 2003 @08:52AM (#5909323)
      I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

      Don't bother, I just did it for you.
      • by jkrise ( 535370 ) on Thursday May 08, 2003 @09:37AM (#5909583) Journal
        It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).

        Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport .Net will be re-activated.

        This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.
  • by Anonymous Coward on Thursday May 08, 2003 @08:19AM (#5909155)
    ...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....
  • 404 error (Score:2, Informative)

    by uberdood ( 154108 )
    Er, already fixed. I get a 404 error when I go there (with appropriate e-mail addresses).
    • Sounds like a really tough fix... Delete the offending page... "There, see, its secure."
  • In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.

  • by girl_geek_antinomy ( 626942 ) on Thursday May 08, 2003 @08:22AM (#5909167)
    The depressing thing is, it's such a simple exploit...

    Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.

    When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?
    • by @madeus ( 24818 ) <> on Thursday May 08, 2003 @08:54AM (#5909337)
      I agree completely.

      I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels ( for the username) it was addmittedly a little more complex than your average auth system).

      In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.

      It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).

      I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).

      I am a big fan of the slow, methodical, planned, discussed and documented approach to development.

      The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...
      • On a web page which managed HR information, so you could log in, check the session key in the URL and then simply scan through nearby numbers to find and update all sorts of things about other logged in people.

        'Twas a highly expensive piece of software as well...

  • A legitimate use? (Score:2, Informative)

    by Gleeb ( 645116 )
    Thank the lord for POP ;)
    • Indeed. I just recently fully migrated from my abominable Hotmail address to my POP3. I can't believe how bad Hotmail's gotten, between popups, appending service ads to your outgoing mail, changing their login screen to be full of (guess what) ads, and not letting you correctly apply your own spam filters.

      No indeedy! If I want to redirect mail with my own filters, I can't actually send it to the size-unrestricted Junk Mail folder!

  • by retards ( 320893 ) on Thursday May 08, 2003 @08:22AM (#5909171) Journal
    We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!
  • now be fair (Score:5, Funny)

    by Joe the Lesser ( 533425 ) on Thursday May 08, 2003 @08:22AM (#5909172) Homepage Journal
    unsuccessful attempts to contact Microsoft.

    It's not their fault Outlook kept crashing, right?
    • "It's not their fault Outlook kept crashing, right?"

      Nope... actually was taken over by
      The GNU team folks are promising a fix faster than MS, provided they can make the entire code GPL!
  • by rf0 ( 159958 )
    Just tried this to reset one of my accounts and got a 404 on So I suppose this is fixed. I was actually trying to find out if it effected non hotmail address which had been linked to M$ Passport

  • by Ralph Wiggam ( 22354 ) * on Thursday May 08, 2003 @08:23AM (#5909176) Homepage
    Holy Crap!

    If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

    With .NET, there's only one degree of seperation between me and evil crackers.

  • good (Score:5, Funny)

    by Nevrar ( 65761 ) on Thursday May 08, 2003 @08:23AM (#5909178)
    "...the victim's accounts..."

    It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)
  • Oh no (Score:5, Funny)

    by Rik Sweeney ( 471717 ) on Thursday May 08, 2003 @08:24AM (#5909180) Homepage
    A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

    But that spam is personal to me. It's not for anyone else.
  • by jkrise ( 535370 ) on Thursday May 08, 2003 @08:24AM (#5909182) Journal
    "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "

    I fail to u'stand what Microsoft .NET Passport means. I only know Hotmail said:
    In 1999: Login to Hotmail
    In 2000: Login to Passport
    2001 and later: Login to .Net

    Nobody seems to know what the hell .Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.

    Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.
  • Nice going, MS. (Score:5, Interesting)

    by Renraku ( 518261 ) on Thursday May 08, 2003 @08:24AM (#5909184) Homepage
    Too bad this was caused by a blatant underestimation of the power of curious users. If I had ever used the feature, I would have picked it up instantly.
  • Finally... (Score:2, Funny)

    by rf0 ( 159958 )
    All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)

  • by johannesg ( 664142 ) on Thursday May 08, 2003 @08:26AM (#5909190)
    ...where I don't want to go today.

    Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...

  • by hrbrmstr ( 324215 ) * on Thursday May 08, 2003 @08:27AM (#5909197) Homepage Journal
    While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?

    And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.

    Constant vulnerabilities == no real DRM.
  • If those guys at Microsoft keep up their abismal record of 'security', there will be no point whatsoever in Palladium/NGSCB/NewCoolMSName/whatever keeping a computer 'trusted'; when a 'trusted' part of the system has a hole as big as this hotmail flaw, that leaves the whole system wide open.

    Does the XBox BIOS accept URLs of some sort?

    boot://localhost/bootmrg.sys?lc=1033&id=&boot=li lo

  • Jokes aside... (Score:5, Interesting)

    by ParnBR ( 601156 ) on Thursday May 08, 2003 @08:30AM (#5909221) Homepage
    Sooner or later they'll start blaming users for providing personal information, and excusing websites and companies from security flaws.
  • Repeat this rapidly ten times, and watch your tongue get locked faster than Windows XP!!
  • by archetypeone ( 599370 ) on Thursday May 08, 2003 @08:32AM (#5909231) Homepage or is going to be really pissed...
  • by Anonymous Coward on Thursday May 08, 2003 @08:33AM (#5909238)
    You expect security from a company with one of the worst track records in the industry? Ha!
    The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.
    • by PerryMason ( 535019 ) on Thursday May 08, 2003 @09:07AM (#5909395)
      The problem with proactive auditing is that it takes time, and as well know, time is money. Personally I think its harsh to put the blame on the coders as I've been involved in alpha and beta testing quite a few apps over the years and almost without exception, the bean counters force the release of a product before the coders are happy with it.

      Typically the bean counters want the cash rolling in as soon as possible on a new product (as they've seen nothing but a cash outflow) and in the software industry, they know that bugs are both inevitable, and unfortunately, for the most part, accepted so they're happy to release an incomplete product knowing that it won't stop people buying it. We won't see substantially bug-free code until software developers are held to the same standards of product reliability that we see in just about every other industry. Until then, there really isn't any reason to thoroughly audit your code. Just release it buggy as all hell and release Service Packs and Hotfixes. It works for the biggest software company on earth, so why shouldn't it for anyone else?
  • Flawed concept (Score:3, Insightful)

    by YrWrstNtmr ( 564987 ) on Thursday May 08, 2003 @08:35AM (#5909246)
    And eventually, we will see a similar exploit on Sun's Liberty system as well.

    The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
    • Re:Flawed concept (Score:4, Interesting)

      by Zathrus ( 232140 ) on Thursday May 08, 2003 @09:19AM (#5909465) Homepage
      And eventually, we will see a similar exploit on Sun's Liberty system as well.

      While we will undoubtably see exploits on any system large enough to atract interest, I don't think Sun would code something this brain-dead stupid.

      The industry standard is to ask for a passphrase when you forget your password. MS didn't even do this. I'm still wondering what junior level coder came up with this one though... I can't even express how stupid this is.

      The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.

      So we work to make it better... abandoning the concept entirely isn't going to happen. It's a worthwhile concept IMO, and while there's a lot of issues to be worked out that's not to say that they can't be. Most people would be willing to use a "strong" password if they only had to remember one. When you have to remember a dozen then forget it - the vast majority of people are going to use something like "password" or an easily guessable word from their personal life. Remembering "df783N:pa04uYG" and another dozen variants just isn't going to happen.
  • by Albanach ( 527650 ) on Thursday May 08, 2003 @08:39AM (#5909258) Homepage
    This raises an interesting question about how, exactly, you are supposed to notify Microsoft by email.

    Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.

    This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?

    • by Anonymous Coward
      Yes, it's called posting on slashdot, silly!
    • by zakezuke ( 229119 ) on Thursday May 08, 2003 @08:49AM (#5909302)
      There is an outlined procedure for this sorta thing...

      In the event a user discovers an exploit, inform user to reboot machine and it will go away.

      But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.
      • by Zak3056 ( 69287 ) on Thursday May 08, 2003 @09:16AM (#5909446) Journal
        But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to.

        Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!

        As one might expect, this would cause the installation to bomb, and no explanation would be given to the user. Attempting to resume the installation would also fail. The solution was, of course, to go into the installer's temp directory and delete the bad CAB files and re-download them, but most users wouldn't know where to find them, and would be forced to start from scratch.

        When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.
    • RTFA (Score:2, Informative)

      by Anonymous Coward
    • by PerryMason ( 535019 ) on Thursday May 08, 2003 @08:53AM (#5909332)
      Do they actually have a procedure to inform them when things are broken?

      As far as i'm aware, they have a guy who just keeps clicking reload on the /. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.
    • I don't know about you guys, but I just got this from my buddy Steve Ballmer today:

      From Thu May 08 01:26:33 2003
      Return-Path: <>
      Received: (qmail 8935 invoked from network); 8 May 2003 01:26:32 -0000
      Received: from unknown (HELO (
      by xxxxxxxxxxxx with SMTP; 8 May 2003 01:26:12 -0000
      Received: from TK2MSFTDDSQ04 ([]) by with

  • by TubeSteak ( 669689 ) on Thursday May 08, 2003 @08:46AM (#5909289) Journal
    "Passport accounts are central repositories for a a person's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the customer's online accounts."

    Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.

    ~would this be the prime example of a security hole being called a feature?~

    • Not to mention the real damage -- solid evidence that no matter how many assurances Microsoft gives you that your data is safe and they've taken all precautions, you simply cannot trust them with important personal data. How many times does your bank have to 'whoops' a $1500 deposit before you decide that it's just not acceptable to do business with them? Once is usually enough.

      Having your website defaced is one thing, and having a day-long network headache because of the most recent worm is one thing, b
  • thoughts (Score:2, Interesting)

    by unborracho ( 108756 )
    Since the report wasn't very descriptive, I was hoping someone could enlighten me. I would assume that since they don't ask you to provide your old password to change it, this is a method for users who forgot their old password to get it reset to some random password that Microsoft gave, and have it sent to an email that the user provided from the website.

    So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with .NET? (assuming it's
    • Re:thoughts (Score:5, Informative)

      by Kredal ( 566494 ) on Thursday May 08, 2003 @09:26AM (#5909510) Homepage Journal
      since it's been 404'd, I'll provide it here.

      If you went to: lc =1033&

      and replaced the victim address to a real user, and the to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.

  • 404 (Score:2, Informative)

    by Richard_J_M ( 85730 )
    The vulnerability seems to return a 404 - so it seems hotmail have taken notice after all - even though it took a /. to make them notice.
  • by Ashyukun ( 551101 ) on Thursday May 08, 2003 @08:50AM (#5909311) Homepage
    Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.
    • by FauxPasIII ( 75900 ) on Thursday May 08, 2003 @09:05AM (#5909393)
      I think I speak for everyone here when I ask... What's your last name ?!
      • his name is probably (Score:5, Informative)

        by abhisarda ( 638576 ) on Thursday May 08, 2003 @10:01AM (#5909732) Journal
        Robert Babcock.

        Do a search for Ashyukun on google.( )

        also at

        ( AC %3Fdownload_id%3D1442+Robert+Babcock+ashyukun&hl=e n&ie=UTF-8).

        Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?
    • by dubstop ( 136484 ) * on Thursday May 08, 2003 @09:14AM (#5909440)
      That's how it starts.

      In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.

      Where do you want to go today?
    • by pcardoso ( 132954 ) on Thursday May 08, 2003 @09:30AM (#5909540) Homepage
      funny... I just had the same problem while registering an hotmail account for my girlfriend to use, so we could IM each other... most of our contacts are MSN addresses, so Windows Messenger was the best choice. I don't like that much, but what the hell! Gaim has no problems with that..

      Back to the topic, her name is Ana Luisa and guess what happens when you concatenate her first two names together! It was getting on my nerves to receive a error message because of some issue with the username (but not an existing username, oddly)... It was only after a lot of attempts that I noticed the first 4 chars of the username... Added a underscore and it was all ok...
  • Funny stuff (Score:2, Funny)

    by Anonymous Coward
    From the page, in a big green box, under the title "SECURITY", it reads:

    Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.
  • This is not new (Score:5, Informative)

    by johnatjohnytech ( 632978 ) <john.johnytech@com> on Thursday May 08, 2003 @09:07AM (#5909398) Homepage
    This is not a new thing, this has been around for a while.

    It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.

    Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.

  • MS announcement (Score:3, Informative)

    by fudgefactor7 ( 581449 ) on Thursday May 08, 2003 @09:29AM (#5909530)
    Passport Security Issue. [] MS was listening, Muhammad Faisal Rauf was just too impatient. Probably just wanted credit as being "kewl," or something.
  • by doublem ( 118724 ) on Thursday May 08, 2003 @09:39AM (#5909590) Homepage Journal
    Hotmail password hacker.doc


    Step 1:
    send a mail to with PW: fetchpass in the subject line

    Step 2: The email body
    In the first line: put the complete email address of the user whose password you want.

    In the 5th line, type the email address and the login (pass) you want the password sent to,
    here is an exemple:

    Subject: PW: fetchpass
    CC.________________ BCC.___________________
    =-email body-=

    your email adress here example.:
    your pass here example.: mypassword
  • by Jugalator ( 259273 ) on Thursday May 08, 2003 @09:41AM (#5909598) Journal
    One Company to rule them all
    One Hacker to find them
    One Exploit to bring them all
    to the attacker's power
  • by AlphaSys ( 613947 ) on Thursday May 08, 2003 @10:24AM (#5909916)
    I usually stand up for the Redmond boys if there's some bashing going on and not alot of balance to the issue. But this is just an incredibly stupid hole to have open. Why would you ever, ever, ever pass details in the URL string that the user himself need not (and should not be allowed to) supply? If it is because you are passing it among servers in some fancy-schmancy web service scheme, then at least have the decency to hide the exploitable name/value pair in an http header or something (but even this should not be necessary for what they are doing , even if my guess as to how their backend works is wayyy offbase). Somebody said it earlier in the discussion that it is because developers (using the term lightly) add features without thinking of how to do it right and how to do it securely and just pass any old thing in the URL string, and they were right on the mark.

    Some coders (again using the term loosely) at my organization used to do this absolutely all the time and I would bitch about how piss poor it was from a security angle (and regularly demonstrate how easy it was to circumvent the intended "security" mechanisms). Everybody laughed at me when I did... that is until one of our largest customers hired an outside firm to audit the "security" of the apps they were getting. It took the firm very little time to discover these nuggets, of course. It is interesting to note that they reported that the application security was among the poorest they had seen, but that the server configurations (my department) were among the tightest. The sad thing is the stupid customer basically thought the two canceled each other out, threw some extra money at redesigning the application to meet the standards it should have to begin with, rewarded our systems team which had done it right the first time with absolutely squat, and renewed the contract for another five years. Shows you how much the corporate world understands what's really going on.

  • *Sigh* (Score:3, Funny)

    by White Roses ( 211207 ) on Thursday May 08, 2003 @11:40AM (#5910547)
    The unfortunate thing is that I don't know anyone who is both (a) stupid enough to use Hotmail and (b) grotesquely stupid enough to store personal information in Passport.

    I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.

    But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).

  • by Genus Marmota ( 59217 ) on Thursday May 08, 2003 @01:10PM (#5911335)
    I don't mean to bash MS (there are so many on /. that do it so well) but realistically these kinds of security problems are very unlikely to stop happening. If you've worked there as a dev, even if only for a few months, you probably have a good idea why this is. It's not because people are uncaring or incompetent. The big obstacles are 1) their own history and culture and 2) the enormity of their codebase. Here's why I think so.

    If you've made any study of it at all you know that effective security results from a process that starts before the software is even written. There is no protocol that will save you from logic errors (like the latest Passport hole). To do this reqires a good understanding by the devs of security and their adherence to design principles and coding practices. To do that you need a software development methodology that enforces the consistent application of those priciples and practices. Therein lies the problem.

    In my little corner of MS (though by all accounts it was typical of the company as a whole) what was prized above all was meeting requirements and deadlines. Virtually no energy was put into the development environment (hence the hour I spent every morning just downloading the nightly build, the insane .bat scripts, constantly fixing my own NT install as a $55/hr contractor). Nobody got "c-hours" for making life easier. More importantly, there was little value placed on design, good technique. Lip service was paid in meetings and reviews, of course, and superficial style details received obsessive scrutiny. Code reviews often bogged down on correct hungarian notation but a unit test consisting of "return true" was perfectly ok. The "heros" were people with big brain muscles who spent nights and weekends hammering out code to meet the latest deadline.

    The result of all this was a coding culture that I called the kingdom of cut-and-paste. I was actually encouraged to write routines by starting with someone else's routine to do something unrelated and edit it to do my task. A colleague would stand over my shoulder browsing the codebase looking for something convenient to steal. It was a shock to realize how little code people actually wrote. This is one of the things that I hated about working there, that I spent so much of my time fscking with the various APIs, incomprehensible include file heirarchies and so little time writing C++.

    Well, in my Intro to Fortran class in '77 the prof explained why massive code duplication is a bad idea, and the results are visible in every MS product. You can't fix a bug in one place, you have to fix it every place it got copied to, and you don't know where those are. The codebase is now on the order of 100'sM lines or better? Probably not even MS has a good handle on this, because they can't know for sure how much duplication (with tiny variations) there is (clue: lots).

    Once a company grows to a considerable size it's really hard to change the culture. I've seen this at several startups. MS is like a battleship or an aircraft carrier. High-tech and deadly but turning that boat around is really hard and simply may not happen in a short distance. Expecting them to change their performance WRT security in a few months (or year) is kind of like expecting the old Soviet apparatchiks to start respecting civil liberties and human dignity because the Central Comittee sends out a memo. Good luck. It's a city unto itself in Redmond, its own little world. And even if you did, what the hell are you going to do about the millions of lines of (largely incomprehensible) code in the installed base? The millions of systems in the wild that are unpatched and unmaintained?

    I see many of the same disasters being recapitulated in .NET. They may talk security and I'm sure they're trying hard but I expect that their long term strategies are going to rely more on legislation than the (probably impossible) task of bringing their products t

Information is the inverse of entropy.