Hotmail & Passport Vulnerability
Results 1 to 10 of 10

Thread: Hotmail & Passport Vulnerability

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Hotmail & Passport Vulnerability

    You can read the details here:

    http://lists.netsys.com/pipermail/fu...ay/009593.html


    Edit: n00dle, I saw your post but couldn't add anything to that thread anymore. Also I couldn't find the 'new' thread. So I'm starting one now.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    hey, thats interesting...
    only posted yesterday... thanks for the heads up!
    yeah, I\'m gonna need that by friday...

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Well, I tried it and the response I got is attached.


    Cheers:
    DjM

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by DjM
    Well, I tried it and the response I got is attached.
    The reason it doesn't work anymore is probably because it also got posted to bugtraq today. AFAIK the whole password reset thing doesn't work anymore.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Hmmm.... I just tryed it after I recieved the BugTraq post and it worked for my hotmail account.

    This is kind of scary and does not make me want to use the passport service. I guess its time to clean out the old hotmail account of any information.

    Here is a copy of the email I recieved.

    Hello email address removed:

    You asked Microsoft® .NET Passport to help you reset your password. Please
    follow the instructions in this message to complete the process.

    TO RESET YOUR PASSWORD, click this link to create your new password at the .NET
    Passport Web site:
    http://link to password reset

    IF YOU DID NOT REQUEST THAT .NET PASSPORT HELP YOU RESET YOUR PASSWORD...

    Please click the following link to cancel this request:
    link to another passport site

    IF CLICKING A LINK DOESN'T WORK...

    Copy it, and then paste it into your Web browser's address bar.
    Select the entire link (which starts with http:// and may include more than one
    line) and then copy it, usually by clicking the "Edit" menu item and then
    clicking "Copy". Next, open your Web browser and click in the box where you
    usually see the Web page address. Paste the link into this box (usually by
    clicking "Paste" in the "Edit" menu) and click "Go" or "Enter".

    For additional help, click the following link to contact .NET Passport Customer
    Support: http://register.passport.net/contactus.srf?LC=1033.

    Thank you,
    NET Passport Customer Support


    Please do not reply to this message; it was sent from an unmonitored e-mail
    address and we are unable to respond to any replies.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by SirDice
    The reason it doesn't work anymore is probably because it also got posted to bugtraq today. AFAIK the whole password reset thing doesn't work anymore.
    This is off a cnet article posted today:

    Microsoft moved quickly to prevent online vandals from exploiting the issue, and posted its advisory just before 8 p.m. PDT. By 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, a spokesman for the company.
    The whole article is here

    Cheers:
    DjM

  7. #7
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Just retested and they have fixed the problem. It will no longer send an email to an external email address.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Looks likes this hole could mean serious trouble for MS

    Microsoft's latest security lapse with its Passport information service could trigger a $2.2 trillion fine on the company courtesy of the US government.

    Microsoft on Thursday admitted that a flaw in the password reset tool of its Passport service could compromise the information stored on all 200 million users. It scampered to post a fix and is looking into potential exploits, but the damage to Microsoft may already have been done
    Full Story

  9. #9
    Wow, is that ever interesting.. I wouldn't have thought they could have been fined for it.. but now that I think about it.. This is just about the only exploit that users will see a direct effect from, most often havn't closed their netbios ports (or even blocked them from ips ouside a mask) If that makes any sense..

  10. #10
    Junior Member
    Join Date
    Jan 2003
    Posts
    1

    Exclamation

    What would Brian Boitano do?!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •