InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Passport is cracked

MICROSOFT'S Passport authentication program, which is used by tens of millions of people to log on to Hotmail accounts every day, is trivially easy for a Trojan horse to compromise on Windows 9x and Me systems, according to developers. A breach can expose a user's financial information, including credit card numbers that were typed in by a user and stored on Passport's central Web server.

Describing how easily a worm can get access, Bob Puckett, CEO of Bugtoaster.com, in Hillsboro, Ore., says, "If the user uses MSN, it will get their Passport ID, password, and the phone number to dial their ISP." Because a person's e-mail address and password are used to sign on to the Passport server -- where account numbers are held -- an unscrupulous person at an ISP could easily steal credit card numbers, experts say.

The average PC user has a bad habit of choosing the same user name and password to log on to several different Web sites. Passport, which will be bundled into the forthcoming Windows XP, makes this problem far more serious by enforcing a single user name and password for all participating Web sites. The service will be all but mandatory on XP, which tells users, "You need a Passport to use Windows XP Internet communications features ... and to access Net-enabled features."

The specific flaw is that Windows 9x and Windows Me allow any application to "see" the user name, password, and phone number used to access a dial-up ISP, according to Dave Thomas, Bugtoaster's CTO. "For 10 minutes after you place a call," he says, "that info is visible in memory." Windows NT, 2000, and XP guard against this, but that leaves a few hundred million 9x-based systems at risk.

With e-mail viruses and worms silently planting Trojan horse programs on millions of PCs, all the data a rogue programmer needs is out in the open. Most Windows users select the same password for Passport as they would do for any other service.

This newly discovered hole is distinct from the other problems with Passport, such as those identified in a white paper by researchers at AT&T Labs (see www.avirubin.com/passport.html). To name only one, redirection of browsers to Microsoft's Passport server is not protected by SSL (Secure Sockets Layer). This makes it easy for an ISP employee to intercept account numbers. AT&T scientist Avi Rubin told the San Jose Mercury News on Aug. 14 that Passport's problems "are fundamental things that can't really be fixed."

Microsoft did not reply to requests for comment by press time. I'll continue this subject next week.

Puckett and Thomas identified the problem using the free utility called Bugtoaster. Go to their Web site and download the program yourself, which helps isolate the causes of Windows crashes. Any comments sent to me by Sept. 18 will be considered for publication in my Oct. 1 column.




RELATED SUBJECTS

Operating Systems

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.