IP: Re: passport hacked

[David Farber <dave () farber net>]

> From: "Eric J. Glover" <eric () ericglover com>
> To: "David Farber
> Subject: Re: IP: passport hacked
>
> What I find ironic is that I reported a potentially serious flaw with 
> their passport authentication system about 8 months ago -- I even went so 
> far as to tell a high-up manager of theirs,  in person, at a conference -- 
> and they still have not fixed it.
>
> The other bug is that aparently Microsoft does not utilize a user's 
> password in any way as part of the authentication process when you choose 
> (on hotmail) "Keep me signed in to this and all other Passport sites 
> unless I sign out."  The consequences of this are significant. Although I 
> have not actually attempted to steal another user's identity, I have (in 
> the past) demonstrated that if you do save your password, then using a 
> different machine tyou change your passsword, your first session is still 
> valid (and can be recovered after quitting the browser).  There is no user 
> controled way to deactivate previously stored sessions (on a different 
> host) -- hence your password (or any function of your password) is not 
> part of the authentication process, or there is a more severe security 
> hole that I do not yet fully understand.
>
> A high up manager at a conference last May told me that he thought they 
> had fixed the problem, and would pass on my issue to be sure -- well we 
> all know the result of that discussion. This relates to the previous 
> message to the IP list where Microsoft is trying to strong-arm companies 
> into NOT reporting secuirty flaws till after they have fixed them -- so 
> basically in the past 8 months any employee who had a hotmail account and 
> left their job has given their bosses (or anyone with physical access to 
> their machine) full, unrestricted access -- all because Microsoft has not 
> fixed the problem.
>
> Later,
> Eric


For archives see:
http://www.interesting-people.org/archives/interesting-people/