Network Managing, Engineering and Administration with an eye toward security.
Best practices meets the real world!
Friday, May 09, 2003 Ok, yesterday I didn't post about the Microsoft Passport security flaw... Work :)
Exploit: https://firstname.lastname@example.orgemail@example.com&rst=1 posted by Muhammad Faisal Rauf Danka.
You just change the firstname.lastname@example.org and email@example.com. Notice the emailpwdreset.srf, that's the culprit, probably shouldn't have been accessable by external servers -- configuration issue.
Here's a round up of the issue including News articles:
Silicon Valley News
cNet News.com articles here, here, and here.
Adam Sohn Quotes:
"It was something that slipped through the reviews"
"Of course we should have caught it; we should catch every (issue)"
"We didn't validate the input," Sohn said. "We allowed somebody external to do something only the system itself
should be doing. Somebody plumbed around ... and figured out they could do this."
Simon Conant Quotes:
"It is very rare for this type of thing to happen. We don't wait for it to happen."
CBS News (and others):
"Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem.
early Thursday, after details were published on the Internet. Product Manager Adam Sohn said the company was
unaware of hackers actually hijacking anyone's Passport account, but several experts said they successfully
tested the procedure overnight. "
I'm still trying to find the article in which Sohn was quoted as saying that the Security Guards to the MS Complex received the email about the vulnerability. I do remember reading about 3-4 different explanations that he said as to why they didn't respond to the email. Today, all the news is the same AP quotes, so I guess someone in Redmond got their act together about what to say :).
I do agree with those folks over at SlashDot who where saying: How do you contact Microsoft?? Seems you have to know the right department, the right manager, and the right email address, otherwise your ignored. Funny, post it on a mailing list and 8 hrs later it's resolved :). No wonder MS is against public disclosure :-D. posted by David | 5/09/2003 03:07:00 PM