Full Disclosure mailing list archives
Re: Hotmail & Passport (.NET Accounts)
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 9 May 2003 11:00:27 -0500 (CDT)
May 08, Associated Press Microsoft admits Passport was vulnerable. Computer researcher Muhammad Faisal Rauf Danka of Pakistan discovered how to breach Microsoft Corp.'s security procedures for its Internet Passport service. The service is designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases. Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem early Thursday, after details were published on the Internet Wednesday night. Under a settlement with the Federal Trade Commission (FTC) last year over lapsed Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation. The FTC's Jessica Rich said Thursday that each vulnerable account could constitute a separate violation - raising the maximum fine that could be assessed against Microsoft to $2.2 trillion. Source: http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html Thanks, Ron DuFresne On Fri, 9 May 2003, Darren Reed wrote:
In some mail from adf--at--Code511.com, sie said:Is it me or ms never credit vulnerabilities according to http://www.microsoft.com/security/passport_issue.asp "a report was published detailing a security vulnerability(...)"? No more details or credit.And they should because...? If you ask me, doing this for "fame and fortune" is really against what i would call traditional hacker ethic.I also saw online news like http://www.vnunet.com/News/1140757 none mentioned as it was said in Muhammad's post the issue was discovered, and ms warned since 12th April 2003. Meaning it let opened user's account (40 m users?) open for almost 3 weeks...that's ms marketting for you! but if you think "open for almost 3 weeks", think again. "_KNOWN_ open for almost 3 weeks" is more correct. if someone had of been less inclined to show off their skills in being able to reset hotmail passwords, it'd still be unknown and may have been "in use" for some time before that, if not by that person then by others. Will MS tell us? Not likely. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Hotmail & Passport (.NET Accounts) Vulnerability Muhammad Faisal Rauf Danka (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Darren Reed (May 09)
- Re: Hotmail & Passport (.NET Accounts) Ron DuFresne (May 09)
- Re: Hotmail & Passport (.NET Accounts) adf--at--Code511.com (May 09)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 09)
- Re: Hotmail & Passport (.NET Accounts) Georgi Guninski (May 10)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 10)
- Re: Hotmail & Passport (.NET Accounts) Mark J Cox (May 12)
- RE: Hotmail & Passport (.NET Accounts) Ed Carp (May 12)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- <Possible follow-ups>
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Christopher F. Herot (May 07)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)