IP: Microsoft leaves its Wallet wide open

[David Farber <dave () farber net>]

> Sensitivity: Company-Confidential
> From: <ecdesign () bellsouth net>
> To: farber () cis upenn edu
> Subject: Microsoft leaves its Wallet wide open
> Date: Sat, 3 Nov 2001 10:33:41 -0500
>
> Microsoft leaves its Wallet wide open
> By Robert Lemos, ZDNN
> November 2, 2001 5:57 PM PT
> URL: http://www.zdnet.com/zdnn/stories/news/0%2C4586%2C5099186%2C00.html
>
> Software flaws in the security of Microsoft's Passport authentication 
> system left consumers'
> financial data wide open, causing the software giant to remove a key 
> service from the Internet to
> protect people from having their data stolen, a company representative 
> acknowledged Friday.
>
> The admission came after an open-source programmer demonstrated serious 
> security flaws in
> Wallet--the Passport service that keeps track of data used by e-commerce 
> sites. Microsoft shut
> down the service Thursday, casting a pall on the company's recent efforts 
> to convince consumers
> that it is serious about security. The incident also undermined the 
> software giant's claims that its
> Passport system can keep customers' financial data safe.
>
> "It is very easy to fix the example exploit that I came up with," said 
> Marc Slemko, the Seattle-area
> software engineer and open-source programmer who discovered the problems. 
> "But to fix the
> inherent flaws in Passport is a pretty complex task."
>
> By sending a Hotmail user a specially crafted e-mail, Slemko could in many 
> cases get complete
> access to the reader's financial data contained in Passport's Wallet 
> service stored on Microsoft's
> servers. The exploit took advantage of two so-called cross-scripting 
> vulnerabilities that appear
> when the communications between applications--say, a Web mail site and a 
> financial site--are not
> rigorously checked for security.
>
> Slemko's idea was to combine those vulnerabilities with the fact that, for 
> up to 15 minutes after
> someone signs in to Hotmail, that person's authorization extends to every 
> other Passport service,
> including Wallet. In this case, if a victim reads the specially crafted 
> e-mail within 15 minutes of
> signing in, the code contained in the message retrieves all the person's 
> cookies, bits of code that
> identify the user. The attacker can then use those cookies to access other 
> services within those 15
> minutes.
>
> Slemko, who makes no bones about his uneasiness with Microsoft's Passport 
> system, said he
> came up with the basics of his exploit in about 30 minutes of 
> brainstorming. That, he said, shows
> the extent of the problems Microsoft needs to overcome.
>
> "It is very clear that either Microsoft does not have sufficient resources 
> in place to properly review
> the security of their services and software, or that they are aware of the 
> shortcomings but decided
> that attempting to gain market share was more important than their user's 
> security," he stated in his
> paper outlining the attack.
>
> Microsoft acknowledged the security problems, originally reported by 
> online news service Wired,
> calling Slemko's analysis of the security flaws "valid." On Thursday, the 
> company temporarily
> disabled the Express Purchase service affiliated with Passport Wallet, 
> effectively removing any
> danger that consumers could have had their information stolen.
>
> "Ultimately, the big takeaway from this is that there is no evidence that 
> anyone has ever taken
> advantage of this," said Adam Sohn, product manager for Microsoft's .Net 
> platform strategy
> group.
>
> <snip>
>
> Richard Goldschmidt
> ecdesign () bellsouth net


For archives see:
http://www.interesting-people.org/archives/interesting-people/