November 2, 2001 5:10 PM PST
Security problems open Microsoft's Wallet
The admission came after an open-source programmer demonstrated serious security flaws in Wallet--the Passport service that keeps track of data used by e-commerce sites. Microsoft shut down the service Thursday, casting a pall on the company's recent efforts to convince consumers that it is serious about security. The incident also undermined the software giant's claims that its Passport system can keep customers' financial data safe.
"It is very easy to fix the example exploit that I came up with," said Marc Slemko, the Seattle-area software engineer and open-source programmer who discovered the problems. "But to fix the inherent flaws in Passport is a pretty complex task."
By sending a Hotmail user a specially crafted e-mail, Slemko could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications--say, a Web mail site and a financial site--are not rigorously checked for security.
Slemko's idea was to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15 minutes.
Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, shows the extent of the problems Microsoft needs to overcome.
"It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in his paper outlining the attack.
Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing any danger that consumers could have had their information stolen.
"Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategy group.
Microsoft plans to shorten the time a person remains authenticated to about a minute, Sohn said. He added that the attack would not have been successful if the potential victim had been using Windows XP, Microsoft's new operating system.
Because of that, it's important that Microsoft do everything right, Slemko said. He held out little chance that the company would, however.
"The risks to users today is mitigated substantially by the fact that Passport is not all that widespread for anything more important than Hotmail accounts and customizations on other Microsoft sites," he said. "The security implications, however, of having this Passport be a single identity for a user in widespread use across the Internet are dire."