Forwarded from: security curmudgeon <jerichoat_private> ---------- Forwarded message ---------- From: aleph1at_private To: secpapersat_private Date: Fri, 2 Nov 2001 19:20:09 -0700 Subject: Microsoft Passport to Trouble Microsoft Passport to Trouble Marc Slemko <marcsat_private> Microsoft is attempting to position their Passport single sign on authentication service as the one single identity that an Internet user should need to perform all their online activities. Currently, Passport isn't very widely deployed outside of Microsoft sites (in particular, most Passport accounts currently are actually Hotmail accounts). With their .NET "my services" push, Microsoft is trying to change this. The current implementation of Passport, ignoring the new Windows XP specific functionality for the moment, is wholly inadequate to this task. It does not allow for sufficient control over the use of authentication information by a user and, where current technologies fall short of the ideal, it trades off security in favor of convenience in a way that leaves users vulnerable. It is possible to use these design flaws and implementation holes to effectively steal a user's Passport in certain situations. One example scenario that I have put together to demonstrate these flaws consists of: 1. User has a Hotmail account, and stores some credit card information in the Passport Wallet associated with that Passport account. 2. User logs into Hotmail and, within 15 minutes of logging in, reads an email message sent to them by an attacker. 3. The attacker has now stolen all the information in the user's Passport Wallet, including full credit card numbers. The user does not know this has happened, and did nothing other than read a mail sent to their Hotmail account. There are many variations on this attack possible, limited only by the number of sites using Passport and the features they offer. http://alive.znep.com/~marcs/passport/ -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 03:48:54 PST