[ISN] Microsoft shuts site down -- ID's exposed

From: mea culpa (jerichot_private)
Date: Mon Oct 26 1998 - 14:16:28 PST

  • Next message: mea culpa: "[ISN] Hack puts AOL off limits"

    Forwarded From: William Knowles <erehwont_private>
    [News.com] (10.24.98) Microsoft yesterday shut down a site hosted by
    Softbank Services after discovering that it was revealing private
    identification and contact information for 108,000 Microsoft customers. 
    Softbank's site let users of Microsoft's Money financial management
    software upgrade to Money 99 from previous versions of Money. Microsoft
    had Softbank Services pull the site yesterday after learning of the
    security breach from CNET News.com. 
    Users trying to access the downed site first received an HTTP error page.
    Now the site reads: "We are sorry, but our site is temporarily out of
    service. If you would like to place an order for Money 99 or the Financial
    Suite please call 1-800-598-2068. M-F 8 a.m.-10 p.m. ET." 
    Microsoft on Thursday sent out a mass email inviting Money users to order
    the software upgrade either online or through a toll-free call.  The email
    included a unique reservation number nine digits long. 
    Once at the Softbank Services-hosted upgrade site, users could enter that
    number to order the upgrade. However, if they altered one or more of its
    digits, they were likely to call up the account of another customer. 
    While the resulting Web page did not display users' personal information
    outright, the pages contained names, phone numbers, email addresses, and
    postal addresses in a series of hidden fields. Those hidden fields could
    be viewed easily in the document or page source. 
    News.com was notified of the problem yesterday by Gregor Freund of Bay
    Area security software firm Slant. 
    "You could write a ten-line script and download all that information and
    use it for whatever purpose," Freund said. "These are very targeted
    It was not clear today whether other Microsoft customer databases hosted
    by Softbank--or Softbank's other clients --were similarly exposed. 
    A Microsoft spokesperson suggested that it was probably an isolated
    incident. "We have used the service many, many times in many different
    ways, and this was the first time that this sort of thing has come to our
    attention," the spokesperson said. 
    Softbank could have secured the site by asking for another piece of
    information, such as the customer's zip code, which would have made it
    harder to access the accounts by randomly guessing at reservation numbers. 
    Softbank could not be reached for comment. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:48 PDT