Hotmail & Passport Vulnerability

[SirDice]

You can read the details here:

http://lists.netsys.com/pipermail/fu...ay/009593.html


Edit: n00dle, I saw your post but couldn't add anything to that thread anymore. Also I couldn't find the 'new' thread. So I'm starting one now.

[tampabay420]

hey, thats interesting...
only posted yesterday... thanks for the heads up!

[DjM]

Well, I tried it and the response I got is attached.


Cheers:

[SirDice]

Originally posted here by DjM
Well, I tried it and the response I got is attached.

The reason it doesn't work anymore is probably because it also got posted to bugtraq today. AFAIK the whole password reset thing doesn't work anymore.

[CXGJarrod]

Hmmm.... I just tryed it after I recieved the BugTraq post and it worked for my hotmail account.

This is kind of scary and does not make me want to use the passport service. I guess its time to clean out the old hotmail account of any information.

Here is a copy of the email I recieved.

Hello email address removed:

You asked Microsoft® .NET Passport to help you reset your password. Please
follow the instructions in this message to complete the process.

TO RESET YOUR PASSWORD, click this link to create your new password at the .NET
Passport Web site:
http://link to password reset

IF YOU DID NOT REQUEST THAT .NET PASSPORT HELP YOU RESET YOUR PASSWORD...

Please click the following link to cancel this request:
link to another passport site

IF CLICKING A LINK DOESN'T WORK...

Copy it, and then paste it into your Web browser's address bar.
Select the entire link (which starts with http:// and may include more than one
line) and then copy it, usually by clicking the "Edit" menu item and then
clicking "Copy". Next, open your Web browser and click in the box where you
usually see the Web page address. Paste the link into this box (usually by
clicking "Paste" in the "Edit" menu) and click "Go" or "Enter".

For additional help, click the following link to contact .NET Passport Customer
Support: http://register.passport.net/contactus.srf?LC=1033.

Thank you,
NET Passport Customer Support


Please do not reply to this message; it was sent from an unmonitored e-mail
address and we are unable to respond to any replies.

[DjM]

Originally posted here by SirDice
The reason it doesn't work anymore is probably because it also got posted to bugtraq today. AFAIK the whole password reset thing doesn't work anymore.

This is off a cnet article posted today:

Microsoft moved quickly to prevent online vandals from exploiting the issue, and posted its advisory just before 8 p.m. PDT. By 11:30 p.m., the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, a spokesman for the company.

The whole article is here

Cheers:

[CXGJarrod]

Just retested and they have fixed the problem. It will no longer send an email to an external email address.

[HTRegz]

Looks likes this hole could mean serious trouble for MS

Microsoft's latest security lapse with its Passport information service could trigger a $2.2 trillion fine on the company courtesy of the US government.

Microsoft on Thursday admitted that a flaw in the password reset tool of its Passport service could compromise the information stored on all 200 million users. It scampered to post a fix and is looking into potential exploits, but the damage to Microsoft may already have been done

Full Story

[mindfuck]

Wow, is that ever interesting.. I wouldn't have thought they could have been fined for it.. but now that I think about it.. This is just about the only exploit that users will see a direct effect from, most often havn't closed their netbios ports (or even blocked them from ips ouside a mask) If that makes any sense..

[Valdimere]

What would Brian Boitano do?!