Vulnerabilities discovered in Microsoft Corp.’s free e-mail and Passport authentication services allowed a programmer to access credit card information stored on the company’s servers, forcing it to shut down the electronic wallet feature in Passport until it can fix the problem, Microsoft confirmed Nov. 2.
By exploiting holes in Microsoft’s Hotmail e-mail service, as well as the Passport.com Web site used behind the scenes when a user logs onto Passport, a Seattle-based programmer was able to create a program which he said exposed personal information submitted by subscribers. The Web site Wired News first reported the exploit after testing the vulnerability with the programmer who discovered it.
“We took some quick steps to verify and fix the issues,” said Adam Sohn, a product manager with Microsoft’s .Net team. “As a general safety precaution we made the decision to take the (wallet) service off line.”
He said there is no evidence that anyone exploited the holes or that information was compromised before the fixes were made Thursday afternoon. Microsoft will reinstate the wallet service soon, he said.
Passport is Microsoft’s single sign-on service that enables users to log on to the Web once and then gain access to a range of Microsoft properties and services, from its MSN network of Web sites to the Web services it is rolling out called .Net My Services. The company also has deals with third-party Web sites, such as eBay Inc. and Starbucks.com, that enables users to log in to those sites without re-entering their user name and password.
The electronic wallet feature of Passport, called Passport Express Purchase, stores credit card information and mailing addresses so that users can make purchases at Web sites that support the technology.
Marc Slemko, a software engineer and one of the founding members of the Apache Software Foundation, identified the vulnerability after discovering what he described as a series of weaknesses with Microsoft’s Internet sites. “I started looking at the security of Passport when Microsoft began pushing it for much broader use,” he said Friday.
Slemko created a program that he said can be used to reveal information in a user’s Passport wallet in the minutes after that user logs into their Hotmail account. To do so he took advantage of a vulnerability known as “cross-site scripting.” Simply put, this weakness can allow a malicious coder to get between a Web site and a user’s machine and run code on a that machine when the user visits the Web site.
Sohn characterized cross-site scripting as a vulnerability that affects the Internet as a whole, and not just Microsoft’s services.
“This is a very sophisticated exploit,” Sohn said, adding that it takes “considerable expertise” to recreate the process. For those who do, it is even more difficult to actually steal any information, he said.
When a user signs onto Passport there is a five-minute window when the information in their wallet becomes accessible, allowing them to make an electronic purchase. After that time period, a user would need to re-enter their login and password to use the wallet, according to Microsoft.
Slemko said his program made it possible to access information about users during that five-minute window. Microsoft has reduced that window to about one minute since finding out about the problem, according to Sohn.
“Part of the complexity of this issue is that it isn’t just one hole that makes it vulnerable,” Slemko said. “The basic underlying hole is due to the fact that authentication information is cached and shared across pages.”
The exploit was successfully tested on Microsoft Internet Explorer 5.5 and 6.0 Web browsers running on Windows 2000 and Windows 98 machines, Slemko said. Windows XP users were never affected because the new operating system has beefed up security features, Sohn said.
While Microsoft said it is taking the steps to fix the holes in Passport, critics of the company say the security problems with the technology add to their concerns about having one company hold so much private information about its users in a central repository.
“In general, systems that concentrate huge files about hundreds of millions of people are not good for privacy because they become a honey pot for hackers and government investigators,” said Jason Catlett, president of Junkbusters Corp., a for-profit privacy advocacy group, which has been pushing the government to investigate Passport.
Junkbusters, along with a collection of other advocates, have filed claims with the U.S. Federal Trade Commission claiming that Microsoft is strong-arming consumers to sign up for Passport accounts and divulge personal information in a manner that violates the rights of consumers.
“Even if it were another company with a good record trying to do it we would object,” he said. “With Microsoft’s terrible record on privacy this is just unacceptable.”
Passport is used by 165 million subscribers, according to Microsoft. About 2 million of those users also have electronic wallet accounts, the company said. The service is at the heart of Microsoft’s strategy to provide software and services that allow users to access information and services on the Web from a variety of devices.
Slemko has created a Web site at http://alive.znep.com/~marcs/passport/, which details his findings and discusses what he said are other security issues with Passport.
Microsoft, in Redmond, Wash., can be reached at http://www.microsoft.com/.