Security Vulnerability in Microsoft .NET Passport 440
Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.
Remember... (Score:5, Funny)
Re:Remember... (Score:5, Informative)
nu.nl [nu.nl] for people knowing how to read dutch (no NOT german)..
Re:Remember... (Score:5, Funny)
If sending 404 Page Not Found messages to users trying to update passwords can be called fixing, well, MS indeed fixed it.
Re:Remember... (Score:3, Informative)
Re:Remember... (Score:4, Informative)
Re:Remember... (Score:3, Funny)
Rus
MS-Passport and those that cannot/willnot read (Score:5, Informative)
There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz [com.com] to last through september.
We'll see if they last [pcmag.com] that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.
Probably Microsoft code is difficult to maintain. (Score:5, Interesting)
After months of trying to understand Microsoft's situation (Windows XP Shows the Direction Microsoft is Going [hevanet.com]), I came to the conclusion that the Microsoft management style leads to mountains of sloppy code that is difficult to maintain. That's the only theory that seems to fit. For example, in Internet Explorer browser alone, there have been for years more serious security bugs than Microsoft fixed. There are, at present 14 security vulnerabilities [pivx.com].
Here is the recent record. The list of defects has been similar for years. Also, this is a record only of security defects, not all defects:
- June 18, 2002: 18 vulnerabilities
- August 8, 2002: 22 vulnerabilities
- September 9, 2002: 19 vulnerabilities
- November 19, 2002: 32 vulnerabilities
- December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but
two new ones were found.)
- May 8, 2003: 14 vulnerabilities
This is a terrible record for a company that has $52.9 billion [yahoo.com] in the bank. (See "Total Current Assets" in the upper left hand corner, which is the money available within the next few months. It takes time to spend a billion dollars, so the next few months is equivalent to cash.)Obviously, Microsoft could fix the bugs if the company wanted to fix them. But the company apparently lacks the will to devote the resources necessary (IE still does not have tabbed browsing), and apparently also, it is not easy.
Re:Remember... (Score:5, Insightful)
Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.
Welcome to the age of untrustworthy computing...
Re:Remember... (Score:5, Interesting)
We on
Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.
Re:Remember... (Score:3, Insightful)
I think the theory is, that by having so much low-hanging fruit, M$ is hoping that the next generation of hackers will be as complacent as the present user base.
Well, at least take the shine off of 0w#!n@ a system. It used to be a challenge. Now its just annoying.
Re:Remember... (Score:5, Funny)
Re:Remember... (Score:5, Informative)
However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.
The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.
Re:Remember... (Score:2, Insightful)
I think that if they were aware of the problem (and they were, apparently the finder mailed them 10 times), chose not to fix it, and some poor person had their credit card number exposed and abused, I think that Microsoft should be taken to the cleaners. Online security is something that must constantly be looked at, and maintained and updated. Its for their own good, really
Re:Remember... (Score:5, Insightful)
See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."
They want it both ways, and they seem to have gotten it.
Re:Remember... (Score:5, Funny)
Oh my God (Mad scramble) (Score:5, Funny)
Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past...
Re:Oh my God (Mad scramble) (Score:5, Funny)
Don't bother, I just did it for you.
Re:Oh my God (MS explains it all..) (Score:5, Funny)
Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport
This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.
As lame as it sounds... (Score:5, Funny)
Try stealing billgates@hotmail.com (Score:2, Funny)
Re:Try stealing billgates@hotmail.com (Score:4, Funny)
Rus
Re:Try stealing billgates@hotmail.com (Score:3, Funny)
I got webmaster@... and I believe my friend got administrator@...
I don't know if my friend got any mail, but I got a lot of interesting messages until I got bored and stopped checking it
Now, before any of you start bashing me for being irresponsible, I did try to help out the users who sent me mail. Mostly I just told them who to really contact.
I did
404 error (Score:2, Informative)
Really tough fix (Score:3, Funny)
Could be worse... (Score:2, Funny)
Re:404 error (Score:2, Insightful)
What breed of idiot are you? (Score:5, Informative)
Re:What breed of idiot are you? (Score:3, Funny)
This would be allot more fun to see though...
Security flaw in Passport!!!! (Score:5, Funny)
In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.
Re:Security flaw in Passport!!!! (Score:3, Funny)
I thought they won a moral victory by not travelling to Zimbabwe... and a political victory by making Zim fly to England. Bad example?
Re:Security flaw in Passport!!!! (Score:3, Funny)
twice two is four
It seems you are overdue for your appointment at miniluv, thought criminal!
Oh no, not again... (Score:5, Insightful)
Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.
When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?
I agree completely. (Score:5, Insightful)
I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).
In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.
It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).
I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).
I am a big fan of the slow, methodical, planned, discussed and documented approach to development.
The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...
My company used incrementing session keys. (Score:3, Interesting)
'Twas a highly expensive piece of software as well...
culture of security (Score:3, Interesting)
A: You're way off about changing peoples' approach. The sad fact is people like that are in pain-avoidance mode. Give them pain. Give them a productive way to avoid the pain. There must be code review. One guy does a little coding, another guy has to sign off on it. A third has to sign off that it has been tested (whether or not any testing actually happens is not important). All three get burned if anything bad happens: after-hours or weekend work to fix it NOW? The rate of code churn goes down, and the q
A legitimate use? (Score:2, Informative)
Re:A legitimate use? (Score:2)
No indeedy! If I want to redirect mail with my own filters, I can't actually send it to the size-unrestricted Junk Mail folder!
Re:A legitimate use? (Score:2)
The Microsoft Information Minster Says: (Score:5, Funny)
now be fair (Score:5, Funny)
It's not their fault Outlook kept crashing, right?
Re:now be fair (Score:2)
Nope... actually support@hotmail.com was taken over by rms-gnu@hotmail.com
The GNU team folks are promising a fix faster than MS, provided they can make the entire code GPL!
"Fixed" (Score:2)
Rus
Ruh Roh Raggy (Score:5, Funny)
If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.
With
-B
Re:Ruh Roh Raggy (Score:5, Funny)
good (Score:5, Funny)
It's nice to see people are finally realising that Passport/Hotmail users are victims.
Oh no (Score:5, Funny)
But that spam is personal to me. It's not for anyone else.
Can someone explain this? (Score:5, Insightful)
I fail to u'stand what Microsoft
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to
Nobody seems to know what the hell
Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.
Re:Can someone explain this? (Score:5, Funny)
Re:Can someone explain this? (Score:3, Funny)
So who wants to join the
Re:Can someone explain this? (Score:3, Informative)
But the short answer to your question is that yes, the overkill of .NET branding has muddied and confused the perception of what .NET is. But hey, everyone in the world knows the name, so mission accomplished?
Nice going, MS. (Score:5, Interesting)
Finally... (Score:2, Funny)
Rus
Well, at least now I know... (Score:5, Funny)
Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...
This should encourage anti-DRM folks (Score:5, Insightful)
And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.
Constant vulnerabilities == no real DRM.
Re:This should encourage anti-DRM folks (Score:5, Insightful)
The problem is not whether it works - we all know that DRM is technically impossible (analog hole). The problem is that combined with the DMCA, DRM makes fair use illegal. If Passport were being used for copyright protection, it would be a federal crime to report this security vulnerability.
Palladium/NGSCB (Score:2)
If those guys at Microsoft keep up their abismal record of 'security', there will be no point whatsoever in Palladium/NGSCB/NewCoolMSName/whatever keeping a computer 'trusted'; when a 'trusted' part of the system has a hole as big as this hotmail flaw, that leaves the whole system wide open.
Does the XBox BIOS accept URLs of some sort?
boot://localhost/bootmrg.sys?lc=1033&id=&boot=li lo
Jokes aside... (Score:5, Interesting)
Microsoft .NET Passport Passwords.. :-) (Score:2, Funny)
Whoever has got... (Score:5, Funny)
What do people expect? (Score:4, Interesting)
The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.
Re:What do people expect? (Score:5, Insightful)
Typically the bean counters want the cash rolling in as soon as possible on a new product (as they've seen nothing but a cash outflow) and in the software industry, they know that bugs are both inevitable, and unfortunately, for the most part, accepted so they're happy to release an incomplete product knowing that it won't stop people buying it. We won't see substantially bug-free code until software developers are held to the same standards of product reliability that we see in just about every other industry. Until then, there really isn't any reason to thoroughly audit your code. Just release it buggy as all hell and release Service Packs and Hotfixes. It works for the biggest software company on earth, so why shouldn't it for anyone else?
Flawed concept (Score:3, Insightful)
The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
Re:Flawed concept (Score:4, Interesting)
While we will undoubtably see exploits on any system large enough to atract interest, I don't think Sun would code something this brain-dead stupid.
The industry standard is to ask for a passphrase when you forget your password. MS didn't even do this. I'm still wondering what junior level coder came up with this one though... I can't even express how stupid this is.
The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.
So we work to make it better... abandoning the concept entirely isn't going to happen. It's a worthwhile concept IMO, and while there's a lot of issues to be worked out that's not to say that they can't be. Most people would be willing to use a "strong" password if they only had to remember one. When you have to remember a dozen then forget it - the vast majority of people are going to use something like "password" or an easily guessable word from their personal life. Remembering "df783N:pa04uYG" and another dozen variants just isn't going to happen.
How do you contact Microsoft? (Score:5, Interesting)
Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.
This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?
Re:How do you contact Microsoft? (Score:2, Informative)
Re: Procedure to inform them it's broken. (Score:5, Interesting)
In the event a user discovers an exploit, inform user to reboot machine and it will go away.
But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.
Re: Procedure to inform them it's broken. (Score:5, Interesting)
Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!
As one might expect, this would cause the installation to bomb, and no explanation would be given to the user. Attempting to resume the installation would also fail. The solution was, of course, to go into the installer's temp directory and delete the bad CAB files and re-download them, but most users wouldn't know where to find them, and would be forced to start from scratch.
When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.
RTFA (Score:2, Informative)
Re:How do you contact Microsoft? (Score:5, Funny)
As far as i'm aware, they have a guy who just keeps clicking reload on the
Re:How do you contact Microsoft? (Score:3, Informative)
The Damage Has Been Done (Score:5, Insightful)
Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.
~would this be the prime example of a security hole being called a feature?~
Re:The Damage Has Been Done (Score:3, Interesting)
Having your website defaced is one thing, and having a day-long network headache because of the most recent worm is one thing, b
thoughts (Score:2, Interesting)
So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with
Re:thoughts (Score:5, Informative)
If you went to:
https://register.passport.net/emailpwdreset.srf
and replaced the victim address to a real user, and the attacker@attacker.com to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.
404 (Score:2, Informative)
Add one to the pile (Score:5, Funny)
Re:Add one to the pile (Score:4, Funny)
his name is probably (Score:5, Informative)
Do a search for Ashyukun on google.(www.nhmk.com/nes/ )
also at
(http://216.239.33.104/search?q=cache:q1XY1gcmA
Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?
Re:Add one to the pile (Score:5, Funny)
In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.
Where do you want to go today?
Re:Add one to the pile (Score:4, Funny)
Back to the topic, her name is Ana Luisa and guess what happens when you concatenate her first two names together! It was getting on my nerves to receive a error message because of some issue with the username (but not an existing username, oddly)... It was only after a lot of attempts that I noticed the first 4 chars of the username... Added a underscore and it was all ok...
Funny stuff (Score:2, Funny)
Sign in on any computer that has Internet access.
This is not new (Score:5, Informative)
It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.
Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.
MS announcement (Score:3, Informative)
Another Hotmail Password Hack found on Kazaa (Score:5, Funny)
THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD
Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line
Step 2: The email body
In the first line: put the complete email address of the user whose password you want.
In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:
To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=
address@hotmail.com
your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword
The problem with global accounts like Passport (Score:3, Funny)
One Hacker to find them
One Exploit to bring them all
to the attacker's power
I have to go with the crowd here.... (Score:5, Interesting)
Some coders (again using the term loosely) at my organization used to do this absolutely all the time and I would bitch about how piss poor it was from a security angle (and regularly demonstrate how easy it was to circumvent the intended "security" mechanisms). Everybody laughed at me when I did... that is until one of our largest customers hired an outside firm to audit the "security" of the apps they were getting. It took the firm very little time to discover these nuggets, of course. It is interesting to note that they reported that the application security was among the poorest they had seen, but that the server configurations (my department) were among the tightest. The sad thing is the stupid customer basically thought the two canceled each other out, threw some extra money at redesigning the application to meet the standards it should have to begin with, rewarded our systems team which had done it right the first time with absolutely squat, and renewed the contract for another five years. Shows you how much the corporate world understands what's really going on.
*Sigh* (Score:3, Funny)
I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.
But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).
MS problem is their own culture and codebase (Score:5, Interesting)
If you've made any study of it at all you know that effective security results from a process that starts before the software is even written. There is no protocol that will save you from logic errors (like the latest Passport hole). To do this reqires a good understanding by the devs of security and their adherence to design principles and coding practices. To do that you need a software development methodology that enforces the consistent application of those priciples and practices. Therein lies the problem.
In my little corner of MS (though by all accounts it was typical of the company as a whole) what was prized above all was meeting requirements and deadlines. Virtually no energy was put into the development environment (hence the hour I spent every morning just downloading the nightly build, the insane .bat scripts, constantly fixing my own NT install as a $55/hr contractor). Nobody got "c-hours" for making life easier. More importantly, there was little value placed on design, good technique. Lip service was paid in meetings and reviews, of course, and superficial style details received obsessive scrutiny. Code reviews often bogged down on correct hungarian notation but a unit test consisting of "return true" was perfectly ok. The "heros" were people with big brain muscles who spent nights and weekends hammering out code to meet the latest deadline.
The result of all this was a coding culture that I called the kingdom of cut-and-paste. I was actually encouraged to write routines by starting with someone else's routine to do something unrelated and edit it to do my task. A colleague would stand over my shoulder browsing the codebase looking for something convenient to steal. It was a shock to realize how little code people actually wrote. This is one of the things that I hated about working there, that I spent so much of my time fscking with the various APIs, incomprehensible include file heirarchies and so little time writing C++.
Well, in my Intro to Fortran class in '77 the prof explained why massive code duplication is a bad idea, and the results are visible in every MS product. You can't fix a bug in one place, you have to fix it every place it got copied to, and you don't know where those are. The codebase is now on the order of 100'sM lines or better? Probably not even MS has a good handle on this, because they can't know for sure how much duplication (with tiny variations) there is (clue: lots).
Once a company grows to a considerable size it's really hard to change the culture. I've seen this at several startups. MS is like a battleship or an aircraft carrier. High-tech and deadly but turning that boat around is really hard and simply may not happen in a short distance. Expecting them to change their performance WRT security in a few months (or year) is kind of like expecting the old Soviet apparatchiks to start respecting civil liberties and human dignity because the Central Comittee sends out a memo. Good luck. It's a city unto itself in Redmond, its own little world. And even if you did, what the hell are you going to do about the millions of lines of (largely incomprehensible) code in the installed base? The millions of systems in the wild that are unpatched and unmaintained?
I see many of the same disasters being recapitulated in .NET. They may talk security and I'm sure they're trying hard but I expect that their long term strategies are going to rely more on legislation than the (probably impossible)
task of bringing their products t
Re:FUD (Score:3, Insightful)
Re:FUD (Score:2, Funny)
It's handy-dandy, and I've never had a probASDFK6GJL45SDJ6G-CARRIER LOST-
Re:FUD (Score:3, Insightful)
Re:FUD (Score:3, Insightful)
Re:FUD (Score:5, Insightful)
Bob
Re: (Score:2)
Re:FUD (Score:3)
404ing the page took them 2 minutes, and now all users are relatively secure again. If Microsoft had done nothing while they fixed the bug, several million hotmail accounts would still be vulnerable, and would probably stay that way for atleast a few hours.
Re:FUD (Score:2, Redundant)
Personally I suggest everyone reading this makes sure to tell everyone they know, in order to stop people blindly trusting any incompetents. The fact that it's MS just makes the schadenfreude better.
Justin.
Re:FUD (Score:2, Interesting)
Think about it, with a company like Microsoft, there is no doubt vulnerabilities will exist. If this was a distributed product we would still have script kiddies years from now drilling on this exploit. Now that it is a centralized service, it has been fixed in one place before any substantial damage has been done. -- Which evil do you want today?
Re:FUD (Score:3, Insightful)
Re:FUD (Score:5, Funny)
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.