[ISN] Microsoft Passport to Trouble (fwd)

From: InfoSec News (isnat_private)
Date: Tue Nov 06 2001 - 01:54:42 PST

  • Next message: InfoSec News: "[ISN] Ferreting Out Virus 'DNA'"

    Forwarded from: security curmudgeon <jerichoat_private>
    ---------- Forwarded message ----------
    From: aleph1at_private
    To: secpapersat_private
    Date: Fri, 2 Nov 2001 19:20:09 -0700
    Subject: Microsoft Passport to Trouble
    Microsoft Passport to Trouble
    Marc Slemko <marcsat_private>
    Microsoft is attempting to position their Passport single sign on
    authentication service as the one single identity that an Internet
    user should need to perform all their online activities. Currently,
    Passport isn't very widely deployed outside of Microsoft sites (in
    particular, most Passport accounts currently are actually Hotmail
    accounts). With their .NET "my services" push, Microsoft is trying to
    change this.
    The current implementation of Passport, ignoring the new Windows XP
    specific functionality for the moment, is wholly inadequate to this
    task. It does not allow for sufficient control over the use of
    authentication information by a user and, where current technologies
    fall short of the ideal, it trades off security in favor of
    convenience in a way that leaves users vulnerable.
    It is possible to use these design flaws and implementation holes to
    effectively steal a user's Passport in certain situations. One example
    scenario that I have put together to demonstrate these flaws consists
       1. User has a Hotmail account, and stores some credit card information in 
          the Passport Wallet associated with that Passport account.
       2. User logs into Hotmail and, within 15 minutes of logging in, reads an 
          email message sent to them by an attacker.
       3. The attacker has now stolen all the information in the user's Passport 
          Wallet, including full credit card numbers. The user does not know this 
          has happened, and did nothing other than read a mail sent to their 
          Hotmail account.
    There are many variations on this attack possible, limited only by the number 
    of sites using Passport and the features they offer.
    Elias Levy
    Si vis pacem, para bellum
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 03:48:54 PST