Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Microsoft's Passport service leaks credit card numbers

From: Declan McCullagh <declan () well com>
Date: Sat, 3 Nov 2001 13:31:59 -0500


http://www.wired.com/news/technology/0,1282,48105,00.html

   Stealing MS Passport's Wallet
   By Brian McWilliams
   12:25 p.m. Nov. 2, 2001 PST
   
   To correct serious security flaws, Microsoft on Friday disabled the
   virtual wallet function of its Passport service and has begun
   notifying partners about the vulnerabilities, the company has
   confirmed.
   
   The bugs in Passport, a sign-on service used by more than 200 million
   people, were discovered this week by Marc Slemko, a software developer
   who lives near Microsoft's Redmond, Washington, headquarters. Slemko
   is a founding member of the Apache Software Foundation.
   
   By cobbling together a handful of browser-based bugs with flaws in
   Passport's authentication system, Slemko developed a technique to
   steal a person's Microsoft Passport, credit card numbers -- and all,
   simply by getting the victim to open a Hotmail message.
   
   The attack raises new questions about the inherent security of
   Passport, which is being positioned by Microsoft as the linchpin of
   its .NET e-commerce service initiative.
   
   In a demonstration of the exploit earlier this week, Slemko sent Wired
   News a specially crafted but innocent-looking e-mail. Moments after
   the e-mail was viewed using Microsoft's Hotmail Web-based e-mail
   service, Slemko rattled off, over the phone, the credit card number
   and contact information from the user's Passport wallet.
   
   According to a notice at the service's site, the Passport wallet
   enables users to store credit card and address information "in a
   secure, online location. Only you have access to the information in
   your .NET Passport wallet."

   Introduced in 1999, Passport is what Microsoft calls a "platform
   service" and is being pitched to merchants and other partners as a
   convenient and secure means of determining whether site users are who
   they claim to be.
   
   Besides enabling Web surfers to access Hotmail and several other
   secure sites with a single log-in, Passport includes a wallet system
   that speeds shoppers' checkout at dozens of sites that deploy the
   Passport Express Purchase technology.

   [...]



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: