Feeds

MS Passport cracked with Hotmail

One-stop hacking

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Passport and Wallet users are going to be disappointed to learn that these feature-rich tools can't be used until MS fixes a little bug which makes sport of taking over someone else's account.

Passport authenticates a user for access to his credit cards and Web site accounts and passwords, to make life easy for on-line merchants and shoppers, and hackers and identity thieves.

The flaw was discovered by Seattle researcher Marc Slemko, who devised a Hotmail exploit which enables an attacker to use a malicious e-mail to obtain the victim's entire on-line shopping kit, and take any action the owner can take.

Briefly, the exploit involves stealing session cookies used to authenticate users to the Passport server and other sites which support Passport, and impersonating the victim.

"If, for example, a user enters their password to sign in to Hotmail, they are then allowed access to their Passport Wallet without further authentication for the next 15 minutes! So if someone logs into Hotmail then reads an e-mail sent to them that uses one of a variety of attacks to steal their Passport cookies, that attacker has then effectively stolen that user's Passport Wallet, without the user ever knowing," Slemko explains.

Step-by-step instructions for doing just that are laid out on Slemko's Web site here. It is definitely not as difficult as it should be. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Apple's OS X Yosemite slurps UNSAVED docs into iCloud
Docs, email contacts... shhhlooop, up it goes
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.