[ISN] Microsoft admits Passport identity service was vulnerable

From: InfoSec News (isnat_private)
Date: Thu May 08 2003 - 22:50:40 PDT

  • Next message: InfoSec News: "[ISN] Microsoft: A separate look for security"

    http://www.siliconvalley.com/mld/siliconvalley/5816546.htm
    
    May. 08, 2003
    
    WASHINGTON (AP) - A computer researcher in Pakistan discovered how to
    breach Microsoft Corp.'s security procedures for its popular Internet
    Passport service, designed to protect customers visiting some retail
    Web sites, sending e-mails and in some cases making credit-card
    purchases.
    
    Microsoft acknowledged the flaw affected all its 200 million Passport
    accounts but said it fixed the problem early Thursday, after details
    were published on the Internet. Product Manager Adam Sohn said the
    company was unaware of hackers actually hijacking anyone's Passport
    account, but several experts said they successfully tested the
    procedure overnight.
    
    In theory, Microsoft could face a staggering fine by U.S. regulators
    of up to $2.2 trillion. Under a settlement with the Federal Trade
    Commission last year over lapsed Passport security, Microsoft pledged
    to take reasonable safeguards to protect personal consumer information
    during the next two decades or risk fines up to $11,000 per violation.
    
    The FTC said it was investigating this latest lapse. The agency's
    assistant director for financial practices, Jessica Rich, said
    Thursday that each vulnerable account could constitute a separate
    violation -- raising the maximum fine that could be assessed against
    Microsoft to $2.2 trillion.
    
    ``If we were to find that they didn't take reasonable safeguards to
    protect the information, that could be an order violation,'' Rich
    said.
    
    The researcher, Muhammad Faisal Rauf Danka, determined that by typing
    a specific Web address that included the phrase ``emailpwdreset,'' he
    could seize any person's Passport account and change the password
    associated with it.
    
    Danka, who described himself as a private security consultant, said he
    discovered the flaw after Passport accounts belonging to him and a
    friend both were hijacked repeatedly. He made certain no one had
    hacked his own computer, then checked the security for the Microsoft
    Web site that controlled Passport accounts.
    
    Danka said he discovered the vulnerability about four minutes after he
    began searching in earnest.
    
    ``It was so simple to do it. It shouldn't have been so simple,'' Danka
    told The Associated Press in a telephone interview from Karachi.  
    ``Anyone could have done this.''
    
    Sohn acknowledged Microsoft should have been rejecting such
    transmissions from anywhere outside the company's own network.  
    Microsoft shut down the affected Web address late Wednesday night,
    more than one hour after details were published on the Internet. Those
    filters were permanently set in place early Thursday, Sohn said.
    
    ``We didn't validate the input,'' Sohn said. ``We allowed somebody
    external to do something only the system itself should be doing.  
    Somebody plumbed around ... and figured out they could do this.''
    
    Services such as Passport promise consumers a single, convenient
    method for identifying themselves across different Web sites,
    encouraging convenient purchases online of movies, music, travel and
    banking services.
    
    Passport, which is closely tied to Microsoft's flagship Windows XP
    software, is integral to its most important upcoming technology
    services. Dozens of retail Web sites use it already, and Passport
    controls access for Windows users to the free Hotmail service and
    instant-messaging accounts.
    
    Using Passport, consumers could entrust Microsoft or other
    organizations to centrally hold their personal information -- such as
    credit card numbers or medical records -- and make it available
    whenever needed.
    
    The FTC last year determined that Microsoft made deceptive claims and
    misrepresented the security surrounding the design and use of
    Passport. The FTC found that Microsoft exaggerated promises about its
    safety.
    
    ``The FTC needs to investigate and aggressively enforce the
    settlement,'' said David Sobel, a lawyer for the Washington-based
    Electronic Privacy Information Center. ``It's an important test of the
    government's ability to ensure real security in the handling of
    personal information. There needs to be consequences for security
    flaws.''
    
    Sobel's privacy group was among those that had made formal complaints
    about Passport, which led to the FTC settlement.
    
    ``If the passport office of any nation in the world had a security
    record like Microsoft's, no immigration officer would accept their
    passports,'' said Jason Catlett, head of Junkbusters Corp., a New
    Jersey-based privacy organization that also had complained to the FTC.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 09 2003 - 00:34:44 PDT