Stealing MS Passport’s Wallet

To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed.

The bugs in Passport, a sign-on service used by more than 200 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft’s Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation.

By cobbling together a handful of browser-based bugs with flaws in Passport’s authentication system, Slemko developed a technique to steal a person’s Microsoft Passport, credit card numbers — and all, simply by getting the victim to open a Hotmail message.

The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the linchpin of its .NET e-commerce service initiative.

In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft’s Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user’s Passport wallet.

According to a notice at the service’s site, the Passport wallet enables users to store credit card and address information “in a secure, online location. Only you have access to the information in your .NET Passport wallet.”

Introduced in 1999, Passport is what Microsoft calls a “platform service” and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be.

Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers’ checkout at dozens of sites that deploy the Passport Express Purchase technology.

In an e-mail today to Slemko, Passport’s lead program manager for security and authentication, Chris Peterson, said the wallet service will remain offline until the company can add additional security features “to ensure that similar exploits cannot be used to compromise our user’s credit card information.”

Microsoft’s Hotmail is the largest service currently utilizing the Passport authentication system, but the technology has also been deployed by eBay to allow users of the online auction service to sign into their accounts.

Prior to being fixed by Microsoft, the authentication flaws discovered by Slemko could enabled an attacker “to do anything as if they were the Passport holder,” including editing the user’s portfolio at MoneyCentral, or changing user’s auctions at eBay, he said.

More than 70 sites are in the process of deploying Passport’s authentication technology, according to Microsoft. Among them is Prudential Banking’s online bank, which is switching to Passport from an authentication system developed by Entrust Inc., according to published reports.

Besides posting it at his site, Slemko intends to release the technical details on several security mailing lists Friday “so that, if they choose, users and partners can choose to reduce the impact on themselves,” he said. Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it.

Related posts

Experts: Easy Installations Kill

The real danger, according to dozens of experts, is easy-to-install software and software vendors…
Read more