Wednesday, February 13, 2002 |
19:10 - It's not going to get any better, folks...
http://finance.lycos.com/home/news/story.asp?story=26200929
|
(top) |
Goodie, another security vulnerability in Passport and Hotmail.
In this instance, however, the keys to the exploit are actually hidden within the source code for the Hotmail login page. The code, visible to anyone knowledgeable enough to select "View Source" from the menu of their Web browser, reveals a "hidden" field that -- when populated with the desired username, saved as an HTML file and executed in a Web browser -- produces the targeted user's "secret question."
"Cisco Kid" -- the nickname for the hacker who helped to develop the exploit, said Microsoft simply has no good explanation for leaving something so central to authentication in plain text.
One would think, "Gee, XP has been released, Passport is in use, and all this centralized user-management and privacy and authentication stuff is surely all figured out and bulletproof by now, isn't it?"
Well, guess what: it isn't. It's not getting any better. Every time some new Microsoft service comes out, there's a whole series of security exploits in it just waiting to be discovered. They're never going to "get it right". It's just not going to happen. If you're waiting for them to amass enough knowledge and expertise not to make stupid mistakes like embedding cleartext challenge data in the page source at Hotmail, you may as well wait until the heat-death of the universe before using Passport or .NET, like I'm doing.
|
|