http://www.wired.com/news/technology/0,1282,48105,00.html Stealing MS Passport's Wallet By Brian McWilliams 12:25 p.m. Nov. 2, 2001 PST To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed. The bugs in Passport, a sign-on service used by more than 200 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation. By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message. The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the linchpin of its .NET e-commerce service initiative. In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user's Passport wallet. According to a notice at the service's site, the Passport wallet enables users to store credit card and address information "in a secure, online location. Only you have access to the information in your .NET Passport wallet." Introduced in 1999, Passport is what Microsoft calls a "platform service" and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be. Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers' checkout at dozens of sites that deploy the Passport Express Purchase technology. [...] ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Nov 03 2001 - 11:09:09 PST