To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed.
The bugs in Passport, a sign-on service used by more than 200 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation.
By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message.
The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the linchpin of its .NET e-commerce service initiative.
In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user's Passport wallet.
According to a notice at the service's site, the Passport wallet enables users to store credit card and address information "in a secure, online location. Only you have access to the information in your .NET Passport wallet."
Introduced in 1999, Passport is what Microsoft calls a "platform service" and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be.
Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers' checkout at dozens of sites that deploy the Passport Express Purchase technology.
In an e-mail today to Slemko, Passport's lead program manager for security and authentication, Chris Peterson, said the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
Microsoft's Hotmail is the largest service currently utilizing the Passport authentication system, but the technology has also been deployed by eBay to allow users of the online auction service to sign into their accounts.
In addition, Microsoft's MoneyCentral personal finance site relies on Passport's sign-on technology.
Prior to being fixed by Microsoft, the authentication flaws discovered by Slemko could enabled an attacker "to do anything as if they were the Passport holder," including editing the user's portfolio at MoneyCentral, or changing user's auctions at eBay, he said.
More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport from an authentication system developed by Entrust Inc., according to published reports.
Besides posting it at his site, Slemko intends to release the technical details on several security mailing lists Friday "so that, if they choose, users and partners can choose to reduce the impact on themselves," he said. Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it.
According to Christopher Payne, Microsoft's vice president of .NET Core Services Platform, the company has patched three bugs utilized by Slemko's exploit: an HTML filtering issue in Hotmail as well as cross-site scripting flaws in Hotmail and in its Passport server configurations. In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service. Payne said two million Passport users have created wallets to date.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
But Microsoft .NET product manager Adam Sohn said the techniques used by Slemko are difficult to employ.
"These are very sophisticated exploits. This isn't just somebody downloading a script from a hacker site and running it," said Sohn, who reported the company has no evidence that anyone has taken advantage of the vulnerability.
Slemko is not the first, however, to conclude that Passport is a big target. Last year, researchers at AT&T published a paper that observed that Microsoft's single sign-on service "carries significant risks to users" and warned that "Passport must be viewed with suspicion."
Microsoft subsequently fixed the bugs identified in the AT&T report and issued a response, down-playing the researchers' conclusion that Passport is inherently flawed and promising new security features in the future.
One fruit of that promise is in Microsoft's recently released Windows XP operating system, which attempts to improve the security of Passport's sign-on system by moving the authentication out of the browser and embedding it into the operating system.
Microsoft has also adopted what it calls a "federation" model for Passport that will allow other authentication vendors to create systems that interoperate with Microsoft's platform.
But critics still contend that granting Microsoft control over a massive set of personal data creates intolerable security risks.
"If history has shown us anything, it's that the best protection lies in decentralizing power and promoting competition. We need to take the same approach to our digital identities and make sure that who and what we are is not held captive by a single entity," wrote Whitfield Diffie, one of the inventors of public-key cryptography, and Susan Landau, a senior staff engineer at Sun Microsystems, in an editorial published last week.
According to Slemko, the fact that he needed just half an hour to cook up a way to exploit Passport's security flaws indicates that Microsoft is not fit to run a service with Passport's ambitions.
"It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he said.
