A R C H I V E S
Madinat al-Muslimeen Islamic Message Board
| Flaw exposes Microsoft ID service |
|---|
| siddiqui |
| 05/09/03 at 08:58:57 |
| [slm] [url]http://news.bbc.co.uk/2/hi/technology/3013665.stm[/url] Microsoft has admitted that for the last seven months up to 200 million Passport accounts have been vulnerable to plundering by thieves and malicious hackers. The loophole in the online identity service only seems to have been exploited in the last month and Microsoft said it had locked all compromised accounts and fixed the bug. The vulnerability lets a criminal get access to a Passport account using a specific web address and a trigger phrase. It was discovered by a Pakistani researcher who had some of his own accounts hijacked by hackers exploiting the flaw. Simple attack Passport is closely tied to Microsoft's Windows XP, Hotmail and instant messaging products. It was so simple to do it. It shouldn't have been so simple. Anyone could have done this Muhammad Faisal Rauf Danka, Pakistani researcher Some online businesses use Passport as an ID guarantee to let people access personalised accounts and buy goods or services online. Criminals exploiting the flaw could have gained access to personal information, credit card details and online mail accounts. The Passport bug was found by Muhammad Faisal Rauf Danka, chief technology officer at Pakistani net service firm Gem Net. Some of the Passport accounts owned by Mr Danka and his friends had been hijacked. In discovering how this was done, he found the website that gives privileged access to personal accounts and lets passwords be reset. "It was so simple to do it. It shouldn't have been so simple," said Mr Danka, "Anyone could have done this." Reportedly Mr Danka sent 10 messages to Microsoft detailing the vulnerability but got no response. Microsoft only reacted when information about the flaw was posted online The flaw has left 200 million Passport accounts vulnerable for the last seven months. The website giving access to the accounts has now been shut down. The security lapse is embarrassing for Microsoft which is trying to shed its image of a software maker with a lax attitude to security. The bug could leave the software giant open to fines from the US Federal Trade Commission. Under an agreement reached with the FTC in mid-2002 Microsoft said it would take reasonable steps to protect Passport accounts, pledged to stop overselling the security of the sign-in system and agreed to pay fines if it failed in its duty. Microsoft potentially faces an enormous fine if the full fee of $11,000 per security lapse is applied. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3013665.stm Published: 2003/05/09 11:35:49 © BBC MMIII |
| Re: Flaw exposes Microsoft ID service |
|---|
| Al-Basha |
| 05/13/03 at 19:40:44 |
| [slm] One good reason why MS should partially go open source. MS will continue to have security problems unless they open the door for code to be audited by others. Ever heard of this major of a security lapse occuring with industrial strength OS'es like OpenBSD? |
Madinat al-Muslimeen Islamic Message Board |