FC: Microsoft's Passport service leaks credit card numbers

From: Declan McCullagh (declanat_private)
Date: Sat Nov 03 2001 - 10:31:59 PST

  • Next message: Declan McCullagh: "FC: FBI allegedly wants San Francisco IMC's web logs?"

    http://www.wired.com/news/technology/0,1282,48105,00.html
    
       Stealing MS Passport's Wallet
       By Brian McWilliams
       12:25 p.m. Nov. 2, 2001 PST
       
       To correct serious security flaws, Microsoft on Friday disabled the
       virtual wallet function of its Passport service and has begun
       notifying partners about the vulnerabilities, the company has
       confirmed.
       
       The bugs in Passport, a sign-on service used by more than 200 million
       people, were discovered this week by Marc Slemko, a software developer
       who lives near Microsoft's Redmond, Washington, headquarters. Slemko
       is a founding member of the Apache Software Foundation.
       
       By cobbling together a handful of browser-based bugs with flaws in
       Passport's authentication system, Slemko developed a technique to
       steal a person's Microsoft Passport, credit card numbers -- and all,
       simply by getting the victim to open a Hotmail message.
       
       The attack raises new questions about the inherent security of
       Passport, which is being positioned by Microsoft as the linchpin of
       its .NET e-commerce service initiative.
       
       In a demonstration of the exploit earlier this week, Slemko sent Wired
       News a specially crafted but innocent-looking e-mail. Moments after
       the e-mail was viewed using Microsoft's Hotmail Web-based e-mail
       service, Slemko rattled off, over the phone, the credit card number
       and contact information from the user's Passport wallet.
       
       According to a notice at the service's site, the Passport wallet
       enables users to store credit card and address information "in a
       secure, online location. Only you have access to the information in
       your .NET Passport wallet."
    
       Introduced in 1999, Passport is what Microsoft calls a "platform
       service" and is being pitched to merchants and other partners as a
       convenient and secure means of determining whether site users are who
       they claim to be.
       
       Besides enabling Web surfers to access Hotmail and several other
       secure sites with a single log-in, Passport includes a wallet system
       that speeds shoppers' checkout at dozens of sites that deploy the
       Passport Express Purchase technology.
    
       [...]
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Nov 03 2001 - 11:09:09 PST