Passport flaws let anyone control passwords

Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft’s Passport site, Register.Passport.com, and including a user’s e-mail address – such as example@hotmail.com – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

In August 2002, Microsoft agreed to settle a complaint filed by the U.S. Federal Trade Commission (FTC) against Passport and its Wallet credit-card payment feature.

• “Microsoft falsely represented,” according to the FTC action, “that it employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers’ personal information collected through its Passport and Passport Wallet services, including credit card numbers.”

One researcher who sounded the latest alarm bells, Qazi Ahmed of PakCERT (Pakistan Computer Emergency Response Team), said in a statement that other issues remain unsolved in Passport. “We were forced to release this information publicly,” Ahmed reported, “as these vulnerabilities are actively being exploited in the wild and are some of the most severe vulnerabilities ever found in Microsoft Hotmail/.Net/Passport.” He declined to reveal technical details of the other problems because, he said, Microsoft has no fix available yet.

My take? Don’t use Passport or enter any credit-card or financial information into it. Unfortunately, this may be difficult for some users. Microsoft requires a Passport account to access several of its services, including Hotmail and technical support for some consumer products. But I’d say you can have a Wallet full of credit cards or you can have a wallet full of credit cards. The choice is yours.

My thanks to reader James Merrill for his help on this topic. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Without warning, XP SP1 prevents backup media from restoring

One of the worst IT nightmares is the perfect backup tape or disk that tested fine when it was made, but won’t restore properly – or at all – when its information is really needed.

The April 24 issue of Brian’s Buzz on Windows reported on problems that can be caused by installing Service Pack 1 of Windows XP. That upgrade can also cause grief when you try to restore files from backups that were completely reliable prior to SP1, according to reader John Butler. As he explains it:

• “Here are tips for users who regularly backup and have installed SP1.

  “Drive Image from Powerquest will no longer be compatible. The user will not know this until they attempt to restore from a backup image, which then fails. Tech support has no idea which part of SP1 caused this, so they are nowhere near a cure.

  “Backup My PC from Veritas is marketed now by Stomp in North America and Australia, by Oralix elsewhere. Users who installed BuMP before SP1 will not realize that disaster recovery with the boot floppies they created will not work. (New installers are warned.) To install after a disaster, Windows XP has to be reinstalled, then BuMP 8.5 installed, then a full restore done from the latest media with overwriteall enabled.

  “Norton Ghost 2003 is still valid after SP1 has been installed on top of it.” –John Butler

I couldn’t find specific documents about this at Microsoft’s Web site. Perhaps something will turn up by my next issue.

Other significant Microsoft issues:

• ‘Skins’ for Media Player 7.1 and 8.0 (XP) could run hacker code (critical patch)
• Simple steps to stop the XP welcome screen from hanging during logon
• XP SP1 re-starts searches of Windows 2000 SP3 drives (patch available)

FreeRAM XP Pro 1.31: monitor and optimize your available memory

Even under Microsoft’s newest operating system, Windows XP, some applications still have problems allocating memory and then releasing it to allow other programs to use it efficiently. FreeRAM XP Pro 1.31 is a new version of YourWare Solutions’ free memory-optimization utility (524 KB) that supports Windows 95, 98, Me, 2000, and XP. (An older, “lite” version also supports NT 4.0.) Within its first six days, the new release was already rated “thumbs up” by 10 out of the first 10 installers who reviewed it for CNET. More info

Virtual attractiveness is more than meets the eye

Quick! Look through these photographs of healthy young men and women and choose the one you find the most attractive.

In actual experiments, the people who volunteered to rate the faces were clear that certain ones were much better looking than others. Here’s the kicker – each face that was selected as the best was computer generated by morphing all the photographs of the same sex together into one.

The site that conducted these experiments won a European student prize for its project. The work was done in Germany, but the site’s English section (see link below) is a perfect translation. There are about a dozen pages, and it’s hard for me to choose which one is the most intriguing. Virtual Attractiveness