Windows Live Bug Opened Door to Scammers

Microsoft Corporation has fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address. The false e-mail address could then be used as an ID for Microsoft's Live Messenger program, which could trick a user into thinking they are chatting with someone who is not whom they appear to be. Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw's impact.

It's unclear how long the flaw may have existed or how many accounts with deceptive instant messenger IDs could have been created. If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).

However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning. Microsoft should try to shut down the fake accounts as soon as possible but it could be difficult, especially if Microsoft was not aware of the flaw and can't track the spoofed accounts. An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. Users could be tricked into thinking they are talking to someone they trust.

News source: PC World

Report a problem with article
Previous Story

iSuppli raises 2007 computer sales forecast

Next Story

Dell Starts Selling Unlocked Mobile Phones

5 Comments

Commenting is disabled on this article.

Of those accounts being shut down, will those include @live.com and @live.[TLD] accounts that were given through a JS trick?

I have to more or less agree with Roger MS.

After all, what's usually the first thing that happens after a computer gets infected with an email virus? The virus sends copies of itself to everyone in the victim's address book using that victim's name and email address!

Who, in this day and age, automatically trusts an email or an IM just because it says it's from someone the recipient trusts?

Not I.

I'm so glad I dropped my subscription to PC World back in '98. I see they are still a complete waste of money.

This is the most blatant form of FUD I've seen published in quite some time. And from a long-term magazine that is supposedly respected.

You can trick people with domains that actually exist, too. Just go to Hotmail, create an account with an alias that looks like the name of a friend of the targeted victim, just like an unverified address, and log on. Note that this is an even more effective way to trick your victim, since a verified email address allows you to change your friendly name (you cannot use a friendly name with unverified email addies). So, you have a verified email alias of joe_r_smith@hotmail.com AND you have a friendly name of Joe Smith. Why WOULDN'T John think you were Joe?

So in essence, the best way to spot someone who may be trying to trick you is the fact that their "friendly name" is an unverified email address.

However, neither example above works at all if your Options are set to only receive IM from people on your Allow list...which has been the default setting on new installs since version 5.0 shipped. That was a LOOOONG time ago, kids.

This is a complete non-story. Move along, nothing to see here.

I wouldn't say complete non-story. There was a small problem, it seems, where an unverified email address would not indicate it was "unverified", so would lead people to believe it was legit.

The problem was fixed by Microsoft, yet it appears that accounts created with this verification oversight are still not corrected to indicate they are not verified.