E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: ZDNet UK

Posted on November 7, 2001

      Software flaws in the security of Microsoft's Passport authentication system left consumers' financial data wide open, causing the software giant to remove a key service from the Internet to protect people from having their data stolen, a company representative acknowledged on Friday.

      The admission came after an open-source programmer demonstrated serious security flaws in Wallet -- the Passport service that keeps track of data used by e-commerce sites. Microsoft shut down the service Thursday, casting a pall on the company's recent efforts to convince consumers that it is serious about security. The incident also undermined the software giant's claims that its Passport system can keep customers' financial data safe. "It is very easy to fix the example exploit that I came up with," said Marc Slemko, the Seattle-area software engineer and open-source programmer who discovered the problems. "But to fix the inherent flaws in Passport is a pretty complex task."

      By sending a Hotmail user a specially crafted e-mail, Slemko could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications -- say, a Web mail site and a financial site -- are not rigorously checked for security. Slemko's idea was to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15 minutes.

      Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, shows the extent of the problems Microsoft needs to overcome.

      "It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in his paper outlining the attack.

      Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing any danger that consumers could have had their information stolen.

      "Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategy group.

      Microsoft plans to shorten the time a person remains authenticated to about a minute, Sohn said. He added that the attack would not have been successful if the potential victim had been using Windows XP, Microsoft's new operating system.

      Passport is a linchpin in Microsoft's .Net strategy, acting to authenticate every person that attempts to access a service through the software giant's service.

      Because of that, it's important that Microsoft do everything right, Slemko said. He held out little chance that the company would, however. "The risks to users today is mitigated substantially by the fact that Passport is not all that widespread for anything more important than Hotmail accounts and customizations on other Microsoft sites," he said. "The security implications, however, of having this Passport be a single identity for a user in widespread use across the Internet are dire."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.