Interesting People mailing list archives
IP: Microsoft leaves its Wallet wide open
From: David Farber <dave () farber net>
Date: Sat, 03 Nov 2001 12:42:33 -0500
Sensitivity: Company-Confidential From: <ecdesign () bellsouth net> To: farber () cis upenn edu Subject: Microsoft leaves its Wallet wide open Date: Sat, 3 Nov 2001 10:33:41 -0500 Microsoft leaves its Wallet wide open By Robert Lemos, ZDNN November 2, 2001 5:57 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0%2C4586%2C5099186%2C00.htmlSoftware flaws in the security of Microsoft's Passport authentication system left consumers' financial data wide open, causing the software giant to remove a key service from the Internet to protect people from having their data stolen, a company representative acknowledged Friday.The admission came after an open-source programmer demonstrated serious security flaws in Wallet--the Passport service that keeps track of data used by e-commerce sites. Microsoft shut down the service Thursday, casting a pall on the company's recent efforts to convince consumers that it is serious about security. The incident also undermined the software giant's claims that itsPassport system can keep customers' financial data safe."It is very easy to fix the example exploit that I came up with," said Marc Slemko, the Seattle-area software engineer and open-source programmer who discovered the problems. "But to fix theinherent flaws in Passport is a pretty complex task."By sending a Hotmail user a specially crafted e-mail, Slemko could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications--say, a Web mail site and a financial site--are notrigorously checked for security.Slemko's idea was to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15minutes.Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, showsthe extent of the problems Microsoft needs to overcome."It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in hispaper outlining the attack.Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing anydanger that consumers could have had their information stolen."Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategygroup. <snip> Richard Goldschmidt ecdesign () bellsouth net
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Microsoft leaves its Wallet wide open David Farber (Nov 03)