Last week I read that Muhammad Faisal Rauf Danka, a computer researcher in Pakistan, discovered how it was to breach Microsoft's security procedures for the Passport service. Passport is Microsoft's common security interface to all of their services, including Hotmail. Generally you must sign up with passport in order to be able to use any services offered by Microsoft or MSN which require protection.
The flaw is so amazingly simple that it would be surprising if someone else (a hacker or two perhaps) had not already discovered and exploited it. "It was so simple to do it. It shouldn't have been so simple," Danka told The Associated Press in a telephone interview from Karachi. "Anyone could have done this."
He reported that he was investigating why passports accounts belonging to him and a friend were being repeatedly hijacked. Within a few minutes after making the decision to figure out why, he determined the reason. You simply specify a specific Web address that includes the phrase "emailpwdreset,". This causes the passport account to have it's password reset to nothing, allowing someone to change the password to whatever is desired.
"We didn't validate the input," Product Manager Adam Sohn said. "We allowed somebody external to do something only the system itself should be doing. Somebody plumbed around ... and figured out they could do this."
Last year Microsoft entered into a settlement with the Federal Trade Commission that any lapses in Passport security (i.e., Microsoft must take reasonable safeguards to protect consumer data) will be fined at up to $11,000 per violation. If you assume that all two hundred million passwords accounts are each separate violations, then Microsoft could theoretically be fined in excess of two trillion dollars!
Adam Sohn acknowledged that these specially formed URLs should have been rejected as they were for internal use only. In any event, Microsoft shut down the service (to reset passwords) for a full day while they came up with a correction.
Unless otherwise noted, all photos and text is Copyright © Richard G Lowe, Jr.