InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Microsoft times out

MICROSOFT WAS forced to temporarily suspend an important financial service of its Passport Wallet program for several days after a programmer showed that he could obtain users' credit card numbers and other personal information merely by sending them a single e-mail message.

Marc Slemko, a Seattle developer, demonstrated that he could retrieve all of a user's cookies and use them to access that person's Passport information any time the user viewed one of Slemko's messages within 15 minutes of signing on to Hotmail (which now requires Passport).

After notifying Microsoft, and being assured that the company was temporarily taking its Express Purchase system offline on Nov. 1, Slemko published a white paper on this and other severe security problems with Passport. That paper is available at http://alive.znep.com/~marcs/passport.

I'm glad to see that a little guy can still wield some influence over the behavior of a software giant. The weakness in Passport that Slemko forced Microsoft to address was similar to, but different from, the major problem that I warned readers about a couple of months ago (see "Passport is cracked.")

That problem, which still exists, is that Windows 95, 98, and Windows Me leave a user's ID and password visible in memory, where any rogue e-mail or Trojan horse can retrieve it during a user's dial-up connection to an ISP and for 10 minutes afterward. In Slemko's case, the 15-minute vulnerability was due to a cache on Microsoft's Passport Web server.

Microsoft reduced the Passport server timeout and placed Express Purchase back online on Nov. 3. The company said in a statement that the vulnerability would not have affected users running the new Windows XP operating system.

But Microsoft didn't wait until customers had XP before requiring millions of Hotmail subscribers to use Passport to log on. There are hundreds of millions of vulnerable PCs out there and Microsoft now requires that Passport be the only way to access an increasing number of services.

In an e-mail interview, Slemko stressed that the specific hole he demonstrated isn't the point. "The issues I raised apply to the use of Passport in general, and become more and more important with every new site that uses Passport," he said.

"Passport is lacking in features that are necessary to protect the security and privacy of users with the sites deployed using it today, let alone the even higher level required if Passport is to be deployed in the pervasive way that Microsoft envisions," Slemko added. "Some of the flaws I came across are such trivial implementation flaws that you have to question Microsoft's commitment."

In other words, reducing a server timeout in no way solves the larger problem. There's more going on. I'd be interested to hear your findings, too.




RELATED SUBJECTS

Business News

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.