Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theatre
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
Poking Holes in Microsoft's Passport
Online authentication service is shut down due to security flaw that allows access to users' credit card info.
Matt Berger, IDG News Service
Vulnerabilities discovered in Microsoft's free e-mail and Passport authentication services allowed a programmer to access credit card information stored on the company's servers, forcing it to shut down the electronic wallet feature in Passport until it can fix the problem, Microsoft confirmed on Friday.
By exploiting holes in Microsoft's Hotmail e-mail service, as well as the Passport.com Web site used behind the scenes when a user logs onto Passport, a Seattle-based programmer was able to create a program that he says exposed personal information submitted by subscribers. The Web site Wired News first reported the exploit after testing the vulnerability with the programmer who discovered it.
"We took some quick steps to verify and fix the issues," says Adam Sohn, a product manager with Microsoft's .Net team. "As a general safety precaution we made the decision to take the [wallet] service off line."
He says there is no evidence that anyone exploited the holes or that information was compromised before the fixes were made on Thursday afternoon. Microsoft will reinstate the wallet service soon, he says.
Online Access
Passport allows users to log on to the Web once and then gain access to a range of Microsoft properties and services, from its MSN network of Web sites to the Web services it is rolling out called .Net My Services. The company also has deals with third-party Web sites, such as eBay and Starbucks.com, which allow users to log into those sites without reentering their user name and password.
The electronic wallet feature of Passport, called Passport Express Purchase, stores credit card information and mailing addresses so that users can also make purchases at Web sites that support the technology.
Marc Slemko, a software engineer and founding member of the Apache Software Foundation, identified the vulnerability after discovering what he describes as a series of weaknesses with Microsoft's Internet services. "I started looking at the security of Passport when Microsoft began pushing it for much broader use," he says Friday.
Slemko wrote a program that can be used to reveal information in a user's Passport wallet in the minutes after that user logs into their Hotmail account, he says. To do so he took advantage of a vulnerability known as "cross-site scripting." Simply put, this weakness can allow a malicious coder to get between a Web site and a user's machine and compromise the security of the connection.
Sophisticated Scripting
Sohn says cross-site scripting is a vulnerability that affects the Internet as a whole, not just Microsoft's services. "This is a very sophisticated exploit," he says, adding that it takes "considerable expertise" to recreate the process. For those who do, it is even more difficult to actually steal any information, he says.
When a user signs onto Passport there is a five-minute period in which information in their wallet becomes accessible, allowing them to make an electronic purchase. After that time period, a user would need to reenter their login and password to use the wallet.
Slemko says his program uses cross-site scripting to access user information during that five-minute window. Microsoft has reduced the window to about one minute since it was alerted to the problem, according to Sohn.
The exploit was successfully tested on the Internet Explorer 5.5 and 6.0 Web browsers running on Windows 2000 and Windows 98 machines, Slemko says. Windows XP users were never affected because security has been beefed up in the new operating system, Sohn says.
Passport is used by 165 million subscribers, and about 2 million of those users also have electronic wallet accounts, according to Microsoft. The service is a central component in Microsoft's strategy to provide software and services that will allow users to share information on the Web among a variety of devices and applications.
Slemko has created a Web site , which details his findings and discusses what he said are other security issues with Passport.
- Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
- Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
- Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?
Laptop Showcase
Mobile Computing
Deal Breakers
Special Offers for PC World Users
-
Dell Windows 7 Deals Win7 Weekend Sale at dell.com!
Laptops starting at $499 after Instant Savings
People who read this also read:
Best Prices on Cameras
D3000 SLR Digital Camera Kit w/ 18-55mm LensPrice: $514.95
EOS Rebel T1i Black SLR Digital Camera Kit w/ 18-55mm LensPrice: $669.95
EOS Rebel XSi Black SLR Digital Camera KitPrice: $549.95
D90 Black SLR Digital Camera KitPrice: $1059.00
Lumix DMC-FZ35K Black Digital CameraPrice: $315.00
PowerShot G11 Black Digital CameraPrice: $488.95
- 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
- A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.
