Microsoft Passport to Trouble
Marc Slemko <[email protected]>
Last Modified: $Date: 2001/11/05 03:03:39 $
$Revision: 1.18 $

Table of Contents

Executive Summary
What's New
Background
The Implementation: pre-XP cookie based
The Implementation: Passport Wallet
Problems with Passport
Example Exploit against a Passport Wallet via Hotmail
The Implementation: XP/IE6 "Passport authentication"
Other Musing and Areas Worthy of Investigation
Appendix A: Links to Information about Passport related technologies
Appendix B: What Microsoft Says They Are Doing

Executive Summary

Microsoft is attempting to position their Passport single sign on authentication service as the one single identity that an Internet user should need to perform all their online activities. Currently, Passport isn't very widely deployed outside of Microsoft sites (in particular, most Passport accounts currently are actually Hotmail accounts). With their .NET "my services" push, Microsoft is trying to change this.

The current implementation of Passport, ignoring the new Windows XP specific functionality for the moment, is wholly inadequate to this task. It does not allow for sufficient control over the use of authentication information by a user and, where current technologies fall short of the ideal, it trades off security in favor of convenience in a way that leaves users vulnerable.

It is possible to use these design flaws and implementation holes to effectively steal a user's Passport in certain situations. One example scenario that I have put together to demonstrate these flaws consists of:

  1. User has a Hotmail account, and stores some credit card information in the Passport Wallet associated with that Passport account.
  2. User logs into Hotmail and, within 15 minutes of logging in, reads an email message sent to them by an attacker.
  3. The attacker has now stolen all the information in the user's Passport Wallet, including full credit card numbers. The user does not know this has happened, and did nothing other than read a mail sent to their Hotmail account.

There are many variations on this attack possible, limited only by the number of sites using Passport and the features they offer.

Windows XP attempts to integrate Passport accounts more transparently with a user's XP login account. This integration, while offering the potential for decreased security risks if implemented properly, appears to, in it's current implementation, possibly increases the risk by allowing the user to be automatically authenticated in situations where they did not expect to be or explicitly allow it. Further investigation is necessary to fully understand the security implications of this poorly documented (and apparently still changing on the Passport servers) integration.

The risk to users today is mitigated substantially by the fact that Passport use is not all that widespread for anything more important than Hotmail accounts, and customizations on other Microsoft sites. The security implications, however, of having this Passport be a single identity for a user, in widespread use across the Internet, are dire.

It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software (it only took me about 30 minutes to come up with the basics of the example exploit, why didn't they notice the same issues?) or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security. Either way, extreme caution is necessary when considering the adoption of Passport technologies and, by implication, any technologies built on top of Passport

What's New

Background

This document is intended to provide an overview of some of the security aspects of Passport, and point out a few specific areas of vulnerability that can be exploited. To fully understand the contents of this document, please review the documents referenced in Appendix A. Microsoft has made various public statements about how they will be enhancing Passport in the future, however most of them are only vague suggestions, without firm commitments or details.

Note that all the information here is correct, to the best of my knowledge, at the time it was written. Microsoft may (I hope!) fix at least some of the issues before this is made public.

Microsoft Passport is a centralized user authentication service purporting to allow easy and secure authorization of users to participating web sites. The largest number of Passport users are from Microsoft's Hotmail free email service; every Hotmail account is authenticated using the Passport system, with a few special hooks apparently designed to support legacy Hotmail behavior.

Passport also has a feature called a "Passport wallet" that can store credit card and address information for a user's Passport account. This is designed to be used with a service called "Passport express purchase", which merchants can allow users to checkout without having to manually enter their address and payment information on each web site.

The newly released Windows XP (combined with IE6) supports a new type of HTTP authentication that Microsoft created called "passport authentication". This feature helps allow for Windows XP to manage a user's Passport account, and is supposed to allow for an easier and more transparent authentication to the Passport service.

Links to more detailed information about these technologies and how they are implemented can be found in Appendix A.

...continued on Page 2, with the juicy bits...





$Id: index.html,v 1.18 2001/11/05 03:03:39 marcs Exp marcs $