RE: .NET Passport: WALLET SERVICE

["Baron Samedi" <baron.samedi () voodoosecurity com>]

We have just covered this issue which is pretty wide-spread outside of .NET
as part of the OWASP project. http://www.owasp.org It is part of the primary
attack components http://www.owasp.org/projects/cov/ look for Privacy
Violations - Browser cache
http://www.owasp.org/projects/cov/owasp-pv-bc-1.htm

I am still amazed at the amount of sites that still use GET requests for
form submission as well leaving the parameters in the browser history!

-----Original Message-----
From: http-equiv () excite com [mailto:http-equiv () excite com]
Sent: Wednesday, November 07, 2001 10:08 AM
To: vuln-dev () securityfocus com
Subject: .NET Passport: WALLET SERVICE


This is a little out of our realm, but it sure looks suspicious:

Microsoft has this so-called .NET initiative. Purpose is unclear at this
time, but one seemingly nifty feature is the WALLET SERVICE. On the
surfacethis looks like a good, simple idea and could possibly be boiled down
to nothing more than an "auto form filler" or even an extension of the IE
browser AutoComplete feature which "fills in the blanks".

It seems the idea is that as a passport member you register for the WALLET
SERVICE. You input your details including name, address, telephone number,
your credit card details including number etc. You then save this and
continue on your merry way. The idea is that should you happen upon an
online retailer offering the latest and greatest, you simply "add to the
basket" that item and select "checkout".

The online retailer as a member or whatever the affiliation with the .NET
initiative is, has a "PASSPORT EXPRESS PURCHASE" button at the final
"checkout" phase. What happens is:

you click the "passport express purchase" button, it takes you to the
PASSPORT login page. You login and there are your details (name, address,
credit card number etc. etc.). You then select continue, a "transferring
information" short-time span window is revealed, then magically you arrive
at the online retailer's final "checkout" phase, with all your details
filled in. You review it and press "purchase" and that is it. Purchase
successful.

What appears suspicious is that out of 15 randomly selected .NET Passport -
Directory of Sites participants, 12 of these "checkout" phase pages are
easily accessible from the browser's temp files with the forms filled in and
all details in the clear. Name, address, tel.no., credit number etc. The
remaining 3 either directly transferred this sensitive information into
their databases and only left the name and address and order revealed on the
html page (and in the cache) or they revealed the credit card number but hid
some if not most of the credit card numbers.

It seems that because the final "checkout" phase data is being automatically
filled in before it is rendered by the browser, when it is, not only is the
entire page cached but so is the sensitive data.

Normally one would navigate to the final "checkout" manually, arrive at the
final stage, fill in the forms manually and press send. The data is
automatically sent and that information is not cached. And if there is an
error, the page will return with the sensitive data removed and you would
fill it in again. It looks like the .NET Passport: WALLET SERVICE fills in
the sensitive data before it is passed to the browser, so once it "arrives"
and is rendered, everything is cached including sensitive data.

Again, this is a little out of our realm. Somebody in this field had better
take a very close look at it.

http://www.passport.com/Directory/

The 12 random sites out of 15, ranged from small retailers, to some
extremely large retailers. Possibly they are not aware of the
"miss-integration" of this .NET Passport: WALLET SERVICE. Those same sites,
if you navigate manually to the "checkout" phase and fill in the sensitive
data manually, appear to function normally i.e. the page with the sensitive
data is not cached locally.

It definitely does not like right.

Tested with IE6.0. with and without the "do not save encrypted pages to
disk" enabled.


---
http://www.malware.com










_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/