[ISN] Microsoft Passport to Trouble (fwd)

From: InfoSec News (isnat_private)
Date: Tue Nov 06 2001 - 01:54:42 PST

Next message: InfoSec News: "[ISN] Ferreting Out Virus 'DNA'"

Previous message: InfoSec News: "[ISN] High-tech security may get $1 billion boost"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: security curmudgeon <jerichoat_private>

---------- Forwarded message ----------
From: aleph1at_private
To: secpapersat_private
Date: Fri, 2 Nov 2001 19:20:09 -0700
Subject: Microsoft Passport to Trouble

Microsoft Passport to Trouble
Marc Slemko <marcsat_private>

Microsoft is attempting to position their Passport single sign on
authentication service as the one single identity that an Internet
user should need to perform all their online activities. Currently,
Passport isn't very widely deployed outside of Microsoft sites (in
particular, most Passport accounts currently are actually Hotmail
accounts). With their .NET "my services" push, Microsoft is trying to
change this.

The current implementation of Passport, ignoring the new Windows XP
specific functionality for the moment, is wholly inadequate to this
task. It does not allow for sufficient control over the use of
authentication information by a user and, where current technologies
fall short of the ideal, it trades off security in favor of
convenience in a way that leaves users vulnerable.

It is possible to use these design flaws and implementation holes to
effectively steal a user's Passport in certain situations. One example
scenario that I have put together to demonstrate these flaws consists
of:

   1. User has a Hotmail account, and stores some credit card information in 
      the Passport Wallet associated with that Passport account.
   2. User logs into Hotmail and, within 15 minutes of logging in, reads an 
      email message sent to them by an attacker.
   3. The attacker has now stolen all the information in the user's Passport 
      Wallet, including full credit card numbers. The user does not know this 
      has happened, and did nothing other than read a mail sent to their 
      Hotmail account.

There are many variations on this attack possible, limited only by the number 
of sites using Passport and the features they offer.

http://alive.znep.com/~marcs/passport/

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] Ferreting Out Virus 'DNA'"
Previous message: InfoSec News: "[ISN] High-tech security may get $1 billion boost"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 03:48:54 PST