Microsoft admits Passport identity service was vulnerable

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/5816546.htm

May. 08, 2003

WASHINGTON (AP) - A computer researcher in Pakistan discovered how to
breach Microsoft Corp.'s security procedures for its popular Internet
Passport service, designed to protect customers visiting some retail
Web sites, sending e-mails and in some cases making credit-card
purchases.

Microsoft acknowledged the flaw affected all its 200 million Passport
accounts but said it fixed the problem early Thursday, after details
were published on the Internet. Product Manager Adam Sohn said the
company was unaware of hackers actually hijacking anyone's Passport
account, but several experts said they successfully tested the
procedure overnight.

In theory, Microsoft could face a staggering fine by U.S. regulators
of up to $2.2 trillion. Under a settlement with the Federal Trade
Commission last year over lapsed Passport security, Microsoft pledged
to take reasonable safeguards to protect personal consumer information
during the next two decades or risk fines up to $11,000 per violation.

The FTC said it was investigating this latest lapse. The agency's
assistant director for financial practices, Jessica Rich, said
Thursday that each vulnerable account could constitute a separate
violation -- raising the maximum fine that could be assessed against
Microsoft to $2.2 trillion.

``If we were to find that they didn't take reasonable safeguards to
protect the information, that could be an order violation,'' Rich
said.

The researcher, Muhammad Faisal Rauf Danka, determined that by typing
a specific Web address that included the phrase ``emailpwdreset,'' he
could seize any person's Passport account and change the password
associated with it.

Danka, who described himself as a private security consultant, said he
discovered the flaw after Passport accounts belonging to him and a
friend both were hijacked repeatedly. He made certain no one had
hacked his own computer, then checked the security for the Microsoft
Web site that controlled Passport accounts.

Danka said he discovered the vulnerability about four minutes after he
began searching in earnest.

``It was so simple to do it. It shouldn't have been so simple,'' Danka
told The Associated Press in a telephone interview from Karachi.  
``Anyone could have done this.''

Sohn acknowledged Microsoft should have been rejecting such
transmissions from anywhere outside the company's own network.  
Microsoft shut down the affected Web address late Wednesday night,
more than one hour after details were published on the Internet. Those
filters were permanently set in place early Thursday, Sohn said.

``We didn't validate the input,'' Sohn said. ``We allowed somebody
external to do something only the system itself should be doing.  
Somebody plumbed around ... and figured out they could do this.''

Services such as Passport promise consumers a single, convenient
method for identifying themselves across different Web sites,
encouraging convenient purchases online of movies, music, travel and
banking services.

Passport, which is closely tied to Microsoft's flagship Windows XP
software, is integral to its most important upcoming technology
services. Dozens of retail Web sites use it already, and Passport
controls access for Windows users to the free Hotmail service and
instant-messaging accounts.

Using Passport, consumers could entrust Microsoft or other
organizations to centrally hold their personal information -- such as
credit card numbers or medical records -- and make it available
whenever needed.

The FTC last year determined that Microsoft made deceptive claims and
misrepresented the security surrounding the design and use of
Passport. The FTC found that Microsoft exaggerated promises about its
safety.

``The FTC needs to investigate and aggressively enforce the
settlement,'' said David Sobel, a lawyer for the Washington-based
Electronic Privacy Information Center. ``It's an important test of the
government's ability to ensure real security in the handling of
personal information. There needs to be consequences for security
flaws.''

Sobel's privacy group was among those that had made formal complaints
about Passport, which led to the FTC settlement.

``If the passport office of any nation in the world had a security
record like Microsoft's, no immigration officer would accept their
passports,'' said Jason Catlett, head of Junkbusters Corp., a New
Jersey-based privacy organization that also had complained to the FTC.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.