Microsoft Admits Passport Security Flaw

Promethus · May 9, 2003, 23:28

Microsoft Admits Passport Security Flaw
By THE ASSOCIATED PRESS

Filed at 6:41 p.m. ET

WASHINGTON (AP) -- Microsoft acknowledged a security flaw Thursday in its popular Internet Passport service that left 200 million consumer accounts vulnerable to hackers and thieves -- an admission that could expose the company to a hefty fine from U.S. regulators.

Microsoft said it fixed the problem early Thursday, after a Pakistani computer researcher disclosed details of it on the Internet. Product Manager Adam Sohn said the company locked out all accounts it believed had been altered using the flaw. He declined to say how many people were affected but said it was a small number.

Several security experts said they had successfully tested the procedure overnight. Sohn said the flaw had apparently existed since at least September 2002, but Microsoft investigators have found no evidence anyone tried to use the technique to seize a Passport account before last month.

Passport promises consumers a single, convenient method for identifying themselves across different Web sites and encourages purchases online of movies, music, travel and banking services.

Closely tied to Microsoft's flagship Windows XP software, Passport also controls access for Windows users to the free Hotmail service and instant-messaging accounts.

The incident was yet another embarrassing lapse for Microsoft and could result in sanctions by the Federal Trade Commission and even a staggering fine. The episode occurs in the midst of Microsoft's ``trustworthy computing initiative'' to improve security for all its software products and services.

Under a settlement last summer, the government accused Microsoft of deceptive claims about Passport's security. In response, the company pledged to take reasonable safeguards to protect those accounts, submit to audits every two years for the next 20 years or risk fines up to $11,000 per violation.

Microsoft declined to say Thursday whether it had contacted the FTC. The agency's assistant director for financial practices, Jessica Rich, said any follow-up investigation would be conducted privately, but she added, ``We routinely look into issues that may bear on compliance with our orders.''

Sanctions or fines could be calculated various ways under federal laws, but Rich confirmed that each Passport account that was vulnerable could constitute a separate violation.

``If we were to find that they didn't take reasonable safeguards to protect the information, that could be an order violation,'' Rich said.

Theoretically, that would set the maximum fine at $2.2 trillion -- although experts said any fine would be significantly lower. The highest civil penalty previously assessed by the FTC was $4.05 million, against Mazda Motor Corp. in 1999. Sanctions imposed by the FTC will depend on technical details of the flaw and the adequacy Microsoft's response over the next few days to prevent any recurrence.

``An important factor is, when does the company tell them about it? What does the company do about it?'' said Jodie Bernstein, former director of the agency's bureau of consumer protection. ``They have discretion. They can consider what has the company done to make sure this doesn't happen again.''

The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase ``emailpwdreset,'' he could seize any Passport account. He said he sent 10 e-mails to Microsoft explaining his findings but never received a response. Sohn said the company was investigating how it might have missed those reports.

Danka said he discovered the flaw after unknown hackers repeatedly hijacked Passport accounts belonging to him and a friend. He said he found the problem on Microsoft Web's site that controls Passport accounts about four minutes after he began searching in earnest.

``It was so simple to do it. It shouldn't have been so simple,'' Danka told The Associated Press in a telephone interview from Karachi. ``Anyone could have done this.''

Microsoft should have been rejecting such transmissions from anywhere outside the company's own network, Sohn acknowledged. Microsoft shut down the affected Web address late Wednesday night, just over one hour after details were published on the Internet. Those filters were permanently set in place early Thursday, Sohn said.

``We didn't validate the input,'' Sohn said. ``We allowed somebody external to do something only the system itself should be doing. Somebody plumbed around ... and figured out they could do this.''

Agathon · May 9, 2003, 23:57

That's nothing. The hard part would be getting Asher to admit a Microsoft security flaw.

Asher · May 9, 2003, 23:59

I don't see the point of this thread.

Security flaw found, MS engineers worked overnight and fixed it by morning.

What they also don't mention in the article is the guy sent e-mails to MS departments completely unrelated to software security.

Oh the humanity.

Quote:

Originally posted by Agathon
That's nothing. The hard part would be getting Asher to admit a Microsoft security flaw.

Words cannot describe the stupidity of that post.

Promethus · May 10, 2003, 00:04

Asher

You can only say this was not a problem because the hackers who found it were stupid and the researcher who reported it was honerable.

Quote:

Danka said he discovered the flaw after unknown hackers repeatedly hijacked Passport accounts belonging to him and a friend. He said he found the problem on Microsoft Web's site that controls Passport accounts about four minutes after he began searching in earnest.

EDIT: Typo's

Agathon · May 10, 2003, 00:06

Quote:

Originally posted by Asher
I don't see the point of this thread.

Security flaw found, MS engineers worked overnight and fixed it by morning.

What they also don't mention in the article is the guy sent e-mails to MS departments completely unrelated to software security.

Oh the humanity.

Here he is, still marching stiffly to the Redmond drum. Did any God in the history of fanaticism ever have such a blindly faithful worshipper as Gates has Asher?

I think not....

Asher · May 10, 2003, 00:06

Quote:

Originally posted by Promethus
Asher

You can only say this was not a problem because the hackers who found it were stupidm and the reasearcher who reported it was honerable.

Honourable? Maybe, but he was rather stupid himself.

There are official channels for this kind of information, mass-mailing them to stuff like pr@microsoft.com doesn't get you anywhere.

MS found out about it from a C|Net story on it, which the "honourable" hacker leaked to the public so anyone could exploit it.

Asher · May 10, 2003, 00:08

Quote:

Originally posted by Agathon

Here he is, still marching stiffly to the Redmond drum. Did any God in the history of fanaticism ever have such a blindly faithful worshipper as Gates has Asher?

I think not....

You wanna contribute, contribute.

If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.

Grow up.

Agathon · May 10, 2003, 00:10

Quote:

Originally posted by Asher

If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.

Awwwww, poor little rich gay fascist boy.

Asher · May 10, 2003, 00:11

http://news.com.com/2100-1002-1000429.html?tag=nl

Quote:

However, he didn't send an e-mail to Microsoft's standard security contact point, secure@microsoft.com.

So, moral of the story:
Hacker reports the bug to irrelevant MS departments, publishes them online for everyone to exploit, anti-MS zealots around the world laugh it up because "he contacted MS and they didn't fix it until it was published" (probably because he 1) didn't allow enough time for employees to forward the message seeing as it was 8pm, 2) didn't send it to the 24/7-watched secure@microsoft.com address).

And regardless, MS worked overnight to fix it the moment the security teams found out about it.

Skanky Burns · May 10, 2003, 00:16

Quote:

Originally posted by Agathon
Awwwww, poor little rich gay fascist boy.

With the intelligence level you routinely display, your posts simply aren't worth reading.

Welcome to my ignore list.

Agathon · May 10, 2003, 00:17

Quote:

Originally posted by Skanky Burns

With the intelligence level you routinely display, your posts simply aren't worth reading.

Welcome to my ignore list.

A badge of honour.

Boris Godunov · May 10, 2003, 00:18

Quote:

Originally posted by Agathon
Awwwww, poor little rich gay fascist boy.

Well, that about confirms it--you're a shithead.

Imran Siddiqui · May 10, 2003, 00:28

It took you this long, Boris?

Boris Godunov · May 10, 2003, 00:33

Quote:

Originally posted by Imran Siddiqui
It took you this long, Boris?

He graduated up from *******.

Imran Siddiqui · May 10, 2003, 00:34

Or do you rather mean graduated down?

Boris Godunov · May 10, 2003, 00:39

Upgrade. From @sshole ME to shithead XP.

MRT144 · May 10, 2003, 00:45

agathon is officially worthless.

faded glory · May 10, 2003, 01:28

lol

figures.

Anyway Im gonna start a windows company. Gonna call it Mikrosoft Windows. Were gonna make REAL windows for houses, the locks will be rigged to break after a couple days ensuring away in for robbers!

faded glory · May 10, 2003, 01:31

No im not anti-microsoft. Hardly, considering the alternatives with Linux, but linux isnt too bad for something free download.

My biggest gripe? WINE emulator only works half the $@^@! time

Asher · May 10, 2003, 01:32

WINE Is Not an Emulator.

Agathon · May 10, 2003, 01:35

Quote:

Originally posted by Boris Godunov

Well, that about confirms it--you're a shithead.

Boo hoo. I'm so sad....

So it's OK for Asher to do things like accuse me of necrophilia, but not OK for him to take a bit now and then. Face it, Boris, your politics continually get in the way of rationality.

Pathetic...

faded glory · May 10, 2003, 01:37

$^@! Same friggin thing.uses system DLLs ported to unix

I think you know what i meant

Asher · May 10, 2003, 01:39

Quote:

Originally posted by Agathon
Boo hoo. I'm so sad....

So it's OK for Asher to do things like accuse me of necrophilia, but not OK for him to take a bit now and then. Face it, Boris, your politics continually get in the way of rationality.

Pathetic...

Someone should also explain to you the concept of a thread. Using my cheeky implication months ago in another thread that some people (in general) were necropheliacs (I can't even remember the situation it was), is a completely separate thread from this one and certainly doesn't warrant your random insults even before I posted in here.

Take your comments somewhere where they're appreciated.

Or at least be a man and apologize.

faded glory · May 10, 2003, 01:41

lol

faded glory · May 10, 2003, 01:45

I understand WINE is still under dev and all since 3.1 Most newer win32apps wont work unix platforms. But alot of other stuff has a big Database to get what you need. Half the time it wouldnt work anyway.

LoneWolf · May 10, 2003, 01:51

Well if Microsoft's Passport security is no worse than that of the French, I guess we should be thankful.

faded glory · May 10, 2003, 01:51

I think most winapp's are too dependant on DirX to be ported to linux distro's anyway. WineX is ok i guess but it isnt GNU its GNU LGPL

faded glory · May 10, 2003, 01:52

OMFG IM TALKING ABOUT LINUX!!!!!!!

MichaeltheGreat · May 10, 2003, 01:59

Quote:

Originally posted by Asher
If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.

If I did that, 90% of the OT posters would be gone.

However, looking at the last few posts in this thread, I can see I might have to bust a few heads. I've been falling behind Ming anyway.

MichaeltheGreat · May 10, 2003, 02:00

Quote:

Originally posted by Agathon

Awwwww, poor little rich gay fascist boy.

Ok, this one gets you a week for starters.