Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Passport to Trouble (fwd)

From: InfoSec News <isn () c4i org>
Date: Tue, 6 Nov 2001 03:54:42 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>


---------- Forwarded message ----------
From: aleph1 () securityfocus com
To: secpapers () securityfocus com
Date: Fri, 2 Nov 2001 19:20:09 -0700
Subject: Microsoft Passport to Trouble

Microsoft Passport to Trouble
Marc Slemko <marcs () znep com>

Microsoft is attempting to position their Passport single sign on
authentication service as the one single identity that an Internet
user should need to perform all their online activities. Currently,
Passport isn't very widely deployed outside of Microsoft sites (in
particular, most Passport accounts currently are actually Hotmail
accounts). With their .NET "my services" push, Microsoft is trying to
change this.

The current implementation of Passport, ignoring the new Windows XP
specific functionality for the moment, is wholly inadequate to this
task. It does not allow for sufficient control over the use of
authentication information by a user and, where current technologies
fall short of the ideal, it trades off security in favor of
convenience in a way that leaves users vulnerable.

It is possible to use these design flaws and implementation holes to
effectively steal a user's Passport in certain situations. One example
scenario that I have put together to demonstrate these flaws consists
of:

   1. User has a Hotmail account, and stores some credit card information in 
      the Passport Wallet associated with that Passport account.
   2. User logs into Hotmail and, within 15 minutes of logging in, reads an 
      email message sent to them by an attacker.
   3. The attacker has now stolen all the information in the user's Passport 
      Wallet, including full credit card numbers. The user does not know this 
      has happened, and did nothing other than read a mail sent to their 
      Hotmail account.

There are many variations on this attack possible, limited only by the number 
of sites using Passport and the features they offer.

http://alive.znep.com/~marcs/passport/

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: