Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Vulnerability in Microsoft .NET Passport

michael posted more than 11 years ago | from the doh dept.

Security 440

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

Sorry! There are no comments related to the filter you selected.

Remember... (5, Funny)

stu_coates (156061) | more than 11 years ago | (#5909141)

Remember folks, this is Trustworthy Computing! ;-)

Re:Remember... (5, Informative)

Anonymous Coward | more than 11 years ago | (#5909160)

according to a dutch news site this hole was fixed shortly after the posting... So thats the way to talk to microsoft.....

nu.nl [nu.nl] for people knowing how to read dutch (no NOT german)..

Re:Remember... (4, Funny)

jkrise (535370) | more than 11 years ago | (#5909336)

" according to a dutch news site this hole was fixed shortly after the posting... "

If sending 404 Page Not Found messages to users trying to update passwords can be called fixing, well, MS indeed fixed it.

Re:Remember... (3, Funny)

rf0 (159958) | more than 11 years ago | (#5909229)

I wouldn't trust them to feed my fish.

Rus

MS-Passport and those that cannot/willnot read (5, Informative)

SgtChaireBourne (457691) | more than 11 years ago | (#5909370)

MS-Passport has long been known to be impossible to secure, even in theory: See Risks of the Passport Single Signon Protocol [avirubin.com] . Even the FTC charged Microsoft with deceptive advertising [ftc.gov] in regards to MS-Passport. Other governments are not getting caught with their mouth open either. Standards body forced Redmond to pull 'unsubstantiated and misleading' advertisement [vnunet.com]

There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz [com.com] to last through september.

We'll see if they last [pcmag.com] that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.

Re:Remember the Internet Toilet (0)

Anonymous Coward | more than 11 years ago | (#5909386)

"I wouldn't trust them to feed my fish."

But soon you will have to. The next "Big Thing" will be Microsoft's "Internet Enabled" fish tank. Of course, they will rapidly establish a monopoly position in fish tanks!

Boggle your mind on that!

Re:Remember... (5, Insightful)

ctellefsen (625088) | more than 11 years ago | (#5909261)

It's a good thing that (according to M$ ads) that the hacker is an endangered species, so that there is noone around to exploit this exploit.

Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.

Welcome to the age of untrustworthy computing...

Re:Remember... (5, Funny)

Gortbusters.org (637314) | more than 11 years ago | (#5909263)

That's one degree of difference with .NET!

Re:Remember... (4, Informative)

m00nun1t (588082) | more than 11 years ago | (#5909328)

I fully agree this passport problem is a lame & unexcusable fault that should never, ever have happened.

However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.

Oh my God (Mad scramble) (5, Funny)

LookSharp (3864) | more than 11 years ago | (#5909149)

Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious

Re:Oh my God (Mad scramble) (1)

grarg (94486) | more than 11 years ago | (#5909162)

No need. register.passport.net seems to be completely down at the moment; I guess MS copped on.

Re:Oh my God (Mad scramble) (0)

LookSharp (3864) | more than 11 years ago | (#5909224)

As an aside,

I had intended this remark to be sarcastic humor, but instead I'm bogged in a sea of Insightful versus Overrated moderation. Am I the victim of a mod war? :)

Re:Oh my God (Mad scramble) (5, Funny)

Anonymous Coward | more than 11 years ago | (#5909323)

I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Don't bother, I just did it for you.

Ooooh, I think I felt the tingle of surprise... (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5909153)

.... ...

no, wait, that was just static cling.

As lame as it sounds... (5, Funny)

Anonymous Coward | more than 11 years ago | (#5909155)

...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....

Try stealing billgates@hotmail.com (2, Funny)

jkrise (535370) | more than 11 years ago | (#5909255)

You could freak out with all his credit cards! Assuming he's got a good credit rating though :-(

Re:Try stealing billgates@hotmail.com (1, Funny)

miscGeek (594829) | more than 11 years ago | (#5909312)

Even Billy Boy knows better than to trust M$ with his credit card information :)

Re:Try stealing billgates@hotmail.com (3, Funny)

rf0 (159958) | more than 11 years ago | (#5909318)

or just go for abuse@hotmail.com.

Rus

Nelson... (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5909157)

HA HAAaaa

404 error (2, Informative)

uberdood (154108) | more than 11 years ago | (#5909158)

Er, already fixed. I get a 404 error when I go there (with appropriate e-mail addresses).

Really tough fix (2, Funny)

alteridem (46954) | more than 11 years ago | (#5909196)

Sounds like a really tough fix... Delete the offending page... "There, see, its secure."

Re:404 error Same here (0)

Anonymous Coward | more than 11 years ago | (#5909198)

The same happens here ?

Did MS cancel this?

Re:404 error (1, Interesting)

bailout911 (143530) | more than 11 years ago | (#5909286)

Yeah, but you can clearly see that it's not a "standard" 404 page generated by either IIS or apache. Viewing the page source reveals Microsoft's fix:

--Begin Page Source--

404 not found

--End Page Source--

That's right, not even a "real" 404, just a text file claiming to be a 404.

Security flaw in Passport!!!! (5, Funny)

grahamlee (522375) | more than 11 years ago | (#5909163)

In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.

Re:Security flaw in Passport!!!! (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5909174)

The world is round? Wha?

Re:Security flaw in Passport!!!! (2, Funny)

jkrise (535370) | more than 11 years ago | (#5909200)

"the England cricket team haven't won anything"

I thought they won a moral victory by not travelling to Zimbabwe... and a political victory by making Zim fly to England. Bad example?

Re:Security flaw in Passport! (0)

Anonymous Coward | more than 11 years ago | (#5909341)

You know what you doing! Move 'Zim' for great justice.

Re:Security flaw in Passport!!!! (3, Funny)

rifter (147452) | more than 11 years ago | (#5909316)

twice two is four

It seems you are overdue for your appointment at miniluv, thought criminal!

Microsoft? Insecure? (-1, Troll)

AltGrendel (175092) | more than 11 years ago | (#5909165)

Naaaaaaa.

It'll never happen.

Re:Microsoft? Insecure? (1)

ftvcs (629126) | more than 11 years ago | (#5909388)

Gates: The truth is people just think it's cool to have bugs, they are not bugs. It's a social thing. really.

Oh no, not again... (5, Insightful)

girl_geek_antinomy (626942) | more than 11 years ago | (#5909167)

The depressing thing is, it's such a simple exploit...

Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.

When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?

I agree completely. (5, Insightful)

@madeus (24818) | more than 11 years ago | (#5909337)

I agree completely.

I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).

In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.

It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).

I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).

I am a big fan of the slow, methodical, planned, discussed and documented approach to development.

The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...

A legitimate use? (2, Informative)

Gleeb (645116) | more than 11 years ago | (#5909168)

Thank the lord for POP ;)

People still use POP? (0)

Anonymous Coward | more than 11 years ago | (#5909265)

IMAP all the way, baby!

Re:A legitimate use? (1)

Bendy Chief (633679) | more than 11 years ago | (#5909308)

Indeed. I just recently fully migrated from my abominable Hotmail address to my POP3. I can't believe how bad Hotmail's gotten, between popups, appending service ads to your outgoing mail, changing their login screen to be full of (guess what) ads, and not letting you correctly apply your own spam filters.

No indeedy! If I want to redirect mail with my own filters, I can't actually send it to the size-unrestricted Junk Mail folder!

Re:A legitimate use? (1)

pldms (136522) | more than 11 years ago | (#5909366)

Indeed. I just recently fully migrated from my abominable Hotmail address to my POP3. I can't believe how bad Hotmail's gotten, between popups, appending service ads to your outgoing mail, changing their login screen to be full of (guess what) ads, and not letting you correctly apply your own spam filters.

Agreed. I've been a hotmail user since the pre-Microsoft days, but now use another account. However you can forward mail easily using Gotmail [nongnu.org] if you want to keep an eye on it.

Re:A legitimate use? (1)

Bendy Chief (633679) | more than 11 years ago | (#5909384)

Thank you kindly, sirrah, from another pre-MS Hotmail user who's cried at their meteoric fall from grace. ;)

The Microsoft Information Minster Says: (5, Funny)

retards (320893) | more than 11 years ago | (#5909171)

We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!

Re:The Microsoft Information Minster Says: (0)

Anonymous Coward | more than 11 years ago | (#5909195)

If I wasn't a mere AC, I'd mod you up for that. far funnier than the other "Funny" comments.

Re:The Microsoft Information Minster Says: (1)

retards (320893) | more than 11 years ago | (#5909201)

What's an AC?

Thanx, anyway!

Re:The Microsoft Information Minster Says: (0, Funny)

Anonymous Coward | more than 11 years ago | (#5909277)

What's an AC?

Air Conditioner. I don't think air conditioners are actually banned from moderating, but I've never heard of one that could.

Re:The Microsoft Information Minster Says: (0)

Anonymous Coward | more than 11 years ago | (#5909352)

Actually, in this forum I believe it means alternating current. Electricity has been known to troll around, so moderating for it is definitely out of the question.

now be fair (4, Funny)

Joe the Lesser (533425) | more than 11 years ago | (#5909172)

unsuccessful attempts to contact Microsoft.

It's not their fault Outlook kept crashing, right?

Re:now be fair (1)

jkrise (535370) | more than 11 years ago | (#5909314)

"It's not their fault Outlook kept crashing, right?"

Nope... actually support@hotmail.com was taken over by rms-gnu@hotmail.com
The GNU team folks are promising a fix faster than MS, provided they can make the entire code GPL!

FUD (0, Informative)

Anonymous Coward | more than 11 years ago | (#5909173)

Do stop with the FUD - this has already been fixed. It even says so in the news.com.com.com.com.com article:
"The advisory was posted just before 8 p.m. PDT, and by 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.

May I suggest the headline on the article be changed from "Security Vulnerability in Microsoft .NET Passport" to "Security Vulnerability Fixed"?

Re:FUD (3, Insightful)

girl_geek_antinomy (626942) | more than 11 years ago | (#5909186)

Instead if you're a legitimate user who's forgotten their password you're now f*cked. *sigh*. Nice to know things have improved then...

Re:FUD (1, Funny)

Bendy Chief (633679) | more than 11 years ago | (#5909331)

This, friend, is why I write my passwords on all my personal effects!

It's handy-dandy, and I've never had a probASDFK6GJL45SDJ6G-CARRIER LOST-

Re:FUD (3, Insightful)

markov_chain (202465) | more than 11 years ago | (#5909202)

Sure, *this one* is fixed, but it sure doesn't inspire confidence in the security of their service. Who knows if there are other holes left for crackers to exploit...

Re:FUD (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5909247)

fixed? they disabled resetting of passwords... that is a quick hack to stop the bleeding, but it does not get around the real issue of poor design. is it that hard to acutall think about what kind of input can come ina query string, and what should be done with it? arent they supposed to be professionals? i learned about this in a CS course, and i couldnt help thinking, "duh, any sensible person wouldnt be that stupid..." obviously i was wrong.

Re:FUD (5, Insightful)

CowboyBob500 (580695) | more than 11 years ago | (#5909253)

Fixed does not mean simply 404ing the offending page. There are many legitimate users now who cannot change their passwords. This is a cheap hack while they work out what the fsck to do about the real problem.

Bob

Re:FUD (1)

danheskett (178529) | more than 11 years ago | (#5909281)

Fixed does not mean simply 404ing the offending page.
The vulnerability is no longer vulnerable. Its fixed, but by a hack.

A permanent solution is also a fix.

Re:FUD (0)

Lord Sauron (551055) | more than 11 years ago | (#5909322)

So that means that if you have a software bug, you can simply say "shut your computer down, and the buggie piece of code will not run." ?

What a programmer !

Re:FUD (1)

edyavno (190451) | more than 11 years ago | (#5909269)

How's turning off ability to recover your password "fixing" it? It's not a fix, but disabling a feature that's esential for users who've forgotten their passwords. It's only temporary of course: it stops people from using the exploit while MS is working on really fixing it.

Re:FUD (0, Interesting)

Anonymous Coward | more than 11 years ago | (#5909301)

Follow the logic carefully, you may find it difficult:

1) a security vulnerability is found.
2) a change is made.
3) the security vulnerability is no longer present.

So what if it's a temporary fix put in place while a better one is produced? It's still a fix, and the headline stating that there IS a vulnerability in Passport is still wrong: there WAS a vulnerability, but it has been fixed. Pure michael FUD.
If this chain of events is followed, we say "the security vulnerability has been fixed".

Re:FUD (1, Interesting)

Anonymous Coward | more than 11 years ago | (#5909279)

And what if Microsoft had not been kindly warned of the exploit by the person who found it?

Re:FUD (2, Redundant)

aug24 (38229) | more than 11 years ago | (#5909346)

Let's start with the observation that it isn't fixed. All they've done is turn off the password change routines at the back end...!

Personally I suggest everyone reading this makes sure to tell everyone they know, in order to stop people blindly trusting any incompetents. The fact that it's MS just makes the schadenfreude better.

Justin.

Re:FUD (2, Interesting)

CrazyJ020 (219799) | more than 11 years ago | (#5909353)

This security vulnerability, and the accompanying quick fix, seem to actually enforce Microsoft's touted concept of centralized computing and services.

Think about it, with a company like Microsoft, there is no doubt vulnerabilities will exist. If this was a distributed product we would still have script kiddies years from now drilling on this exploit. Now that it is a centralized service, it has been fixed in one place before any substantial damage has been done. -- Which evil do you want today?

Re:FUD (0)

Anonymous Coward | more than 11 years ago | (#5909371)

Quick fix? They didn't fix it until it was public! They denied 10 emails to fix it, and they only fixed it when it had a chance of damaging PR.

Trustworthy? I think not.

"Fixed" (1)

rf0 (159958) | more than 11 years ago | (#5909175)

Just tried this to reset one of my accounts and got a 404 on https://register.passport.net/emailpwdreset.srf. So I suppose this is fixed. I was actually trying to find out if it effected non hotmail address which had been linked to M$ Passport

Rus

Ruh Roh Raggy (4, Funny)

Ralph Wiggam (22354) | more than 11 years ago | (#5909176)

Holy Crap!

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

With .NET, there's only one degree of seperation between me and evil crackers.

-B

Re:Ruh Roh Raggy (5, Funny)

archen (447353) | more than 11 years ago | (#5909317)

If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...

Re:Ruh Roh Raggy (1)

tanveer1979 (530624) | more than 11 years ago | (#5909319)

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

Wow that would be bad, after all you must be a real miracle since you got both! ;-)

good (5, Funny)

Nevrar (65761) | more than 11 years ago | (#5909178)

"...the victim's accounts..."

It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)

Oh no (5, Funny)

Rik Sweeney (471717) | more than 11 years ago | (#5909180)

A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

But that spam is personal to me. It's not for anyone else.

New security alert (0)

Anonymous Coward | more than 11 years ago | (#5909181)

sites running .Net adds affected

Can someone explain this? (5, Insightful)

jkrise (535370) | more than 11 years ago | (#5909182)

"A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "

I fail to u'stand what Microsoft .NET Passport means. I only know Hotmail said:
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to .Net

Nobody seems to know what the hell .Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.

Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.

Re:Can someone explain this? (5, Funny)

Anonymous Coward | more than 11 years ago | (#5909232)

I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !

Re:Can someone explain this? (1, Informative)

Anonymous Coward | more than 11 years ago | (#5909259)

Nobody seems to know what the hell .Net is all about (including MS).
Lots of people understand what it's about. I use it every single day. Perhaps what you mean is that you don't understand what it's about. In that case, go to http://www.microsoft.com/net/ [microsoft.com] and look around.

Re:Can someone explain this? (0)

Anonymous Coward | more than 11 years ago | (#5909268)

.net is the term used for any m$ product that is developed specifically so that VB programmers, who are to dumb to learn PHP, can drag & drop web pages. .net really stands for "no education (needed) technology". The orginal name for it is, Simple Technology (lets) Users Program Internet DHTML (STUPID).

Nice going, MS. (4, Interesting)

Renraku (518261) | more than 11 years ago | (#5909184)

Too bad this was caused by a blatant underestimation of the power of curious users. If I had ever used the feature, I would have picked it up instantly.

Finally... (2, Funny)

rf0 (159958) | more than 11 years ago | (#5909187)

All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)

Rus

Yes!! (1)

marcushnk (90744) | more than 11 years ago | (#5909188)

Go the trustworthy computing!

Well, at least now I know... (5, Funny)

johannesg (664142) | more than 11 years ago | (#5909190)

...where I don't want to go today.

Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...

mmm (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5909191)



waiting for

This should encourage anti-DRM folks (5, Insightful)

hrbrmstr (324215) | more than 11 years ago | (#5909197)

While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?

And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.

Constant vulnerabilities == no real DRM.

Choice of words (-1, Redundant)

truthsearch (249536) | more than 11 years ago | (#5909208)

Microsoft user = victim

Palladium/NGSCB (1)

leomekenkamp (566309) | more than 11 years ago | (#5909216)

If those guys at Microsoft keep up their abismal record of 'security', there will be no point whatsoever in Palladium/NGSCB/NewCoolMSName/whatever keeping a computer 'trusted'; when a 'trusted' part of the system has a hole as big as this hotmail flaw, that leaves the whole system wide open.

Does the XBox BIOS accept URLs of some sort?

boot://localhost/bootmrg.sys?lc=1033&id=&boot=li lo

Jokes aside... (5, Interesting)

ParnBR (601156) | more than 11 years ago | (#5909221)

Sooner or later they'll start blaming users for providing personal information, and excusing websites and companies from security flaws.

Microsoft .NET Passport Passwords.. :-) (1, Funny)

jkrise (535370) | more than 11 years ago | (#5909222)

Repeat this rapidly ten times, and watch your tongue get locked faster than Windows XP!!

Exchelon made easy (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5909226)

This is a perfect way to collect email addresses from script kiddies like you and me.

Then turn the email list to the appropriate agency and fixed.

Whoever has got... (5, Funny)

archetypeone (599370) | more than 11 years ago | (#5909231)

victim@hotmail.com or attacker@attacker.com is going to be really pissed...

What do people expect? (4, Interesting)

Anonymous Coward | more than 11 years ago | (#5909238)

You expect security from a company with one of the worst track records in the industry? Ha!
The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.

Re:What do people expect? (-1, Redundant)

rf0 (159958) | more than 11 years ago | (#5909340)

Microsoft go for the release fast and patch after option. Get something out the door and go "Look, WOW new bit of software come and use it". Then patch it afterwards. Now you can't expect any software to be bugfree but you can't help but think they could try harder

Rus

Flawed concept (2, Insightful)

YrWrstNtmr (564987) | more than 11 years ago | (#5909246)

And eventually, we will see a similar exploit on Sun's Liberty system as well.

The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.

And the open source community... (0, Insightful)

Anonymous Coward | more than 11 years ago | (#5909250)

has come up with a viable alternative to Passport, right? One that will allow me to authenticate once to a single source and then access all my applications?

No?

Didn't think so.

How do you contact Microsoft? (5, Interesting)

Albanach (527650) | more than 11 years ago | (#5909258)

This raises an interesting question about how, exactly, you are supposed to notify Microsoft by email.

Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.

This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?

Re:How do you contact Microsoft? (2, Informative)

Anonymous Coward | more than 11 years ago | (#5909293)

Yes, it's called posting on slashdot, silly!

Re: Procedure to inform them it's broken. (5, Interesting)

zakezuke (229119) | more than 11 years ago | (#5909302)

There is an outlined procedure for this sorta thing...

In the event a user discovers an exploit, inform user to reboot machine and it will go away.

But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.

RTFA (2, Informative)

Anonymous Coward | more than 11 years ago | (#5909324)

secure@microsoft.com

Re:How do you contact Microsoft? (4, Funny)

PerryMason (535019) | more than 11 years ago | (#5909332)

Do they actually have a procedure to inform them when things are broken?

As far as i'm aware, they have a guy who just keeps clicking reload on the /. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.

The Damage Has Been Done (5, Insightful)

TubeSteak (669689) | more than 11 years ago | (#5909289)

"Passport accounts are central repositories for a a person's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the customer's online accounts."

Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.

~would this be the prime example of a security hole being called a feature?~

What's really scary... (1, Informative)

Anonymous Coward | more than 11 years ago | (#5909291)

... about this is how Microsoft continues to soapbox about how secure M$ products are yet repeatedly ignore those who find holes. This guy sent them several emails about this and they did nothing until they were called out on it. The same thing happened with BO and CdC. They informed M$ of security issues related to "Back Office" and then created Back Orifice as a "See, I told you so", when M$ refused to acknlowledge the problem...

thoughts (2, Interesting)

unborracho (108756) | more than 11 years ago | (#5909307)

Since the report wasn't very descriptive, I was hoping someone could enlighten me. I would assume that since they don't ask you to provide your old password to change it, this is a method for users who forgot their old password to get it reset to some random password that Microsoft gave, and have it sent to an email that the user provided from the website.

So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with .NET? (assuming it's non-hotmail)

404 (2, Informative)

Richard_J_M (85730) | more than 11 years ago | (#5909309)

The vulnerability seems to return a 404 - so it seems hotmail have taken notice after all - even though it took a /. to make them notice.

Add one to the pile (5, Funny)

Ashyukun (551101) | more than 11 years ago | (#5909311)

Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.

Re:Add one to the pile (0)

Anonymous Coward | more than 11 years ago | (#5909362)

So what is it? Cummings? Crapper? Fuckface? ;)

Re:Add one to the pile (0)

Anonymous Coward | more than 11 years ago | (#5909387)

I'm guessing Woodcock or Allcock.

Funny stuff (2, Funny)

Anonymous Coward | more than 11 years ago | (#5909339)

From the passport.net page, in a big green box, under the title "SECURITY", it reads:

Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.

why? (1)

qbproger (467459) | more than 11 years ago | (#5909358)

why does microsoft always wait to fix security vunerablilities like this? It seems like if it's not affecting one million people they don't care.

Maybe it's because they don't want to fix vunerabilities that aren't being taken advantage of? Seems as though there are a lot of them.

Getting yelled at? (0)

Anonymous Coward | more than 11 years ago | (#5909379)

I wonder if there is someone working at Microsoft today in a board room right now getting yelled at by some big shot?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?