Archive of UserLand's first discussion group, started October 5, 1998.

Re: Tim Bray on the HotMail Hole

Author:Sidney Markowitz
Posted:8/30/1999; 11:43:28 AM
Topic:Tim Bray on the HotMail Hole
Msg #:10254 (In response to 10251)
Prev/Next:10253 / 10255

It gets worse...

Here's the URL (which I don't mind posting because it stopped working at noon Eastern time today), at least accordinhg to messages on slashdot: http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE&js=no&login=ACCOUNTNAMEGOESHERE&password=eh

That's it, no forms needed as the initial reports implied, just call the right CGI and give it any ID and use a password of 'eh'.

If you just go to http://207.82.250.251/ you find yourself in the same page as the http://www.hotmail.com/ URL redirects you to, with a host name of lc2.law5.hotmail.passport.com and a link to a press release type blurb about the wonders of Microsoft Passport.

It says, in part:

"Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized"

So Microsoft has developed a way for you to go from Passport site to Passport site without retyping your ID and password. Doing that in a secure way is an interesting technical challenge. Do you encrypt a password in a cookie and require every site to be able to access the cookie and also know what your password is? Do you make use of a trusted authentication server that is the only one that needs to know your password and have the individual sites communicate with it to verify that you have authenticated yourself to it?

I find it hard to believe that Microsoft's solution to this problem was to allow anyone in to a Passport site if their browser called the right cgi program with a password of "eh", and then rely on nobody knowing this "secret".

Perhaps they had some more complex mechanism in mind involving forms that posted to that cgi, and didn't realize that all the complication simplified into that one URL that anyone could call.

Or maybe this was just one big OOPS! of a bug in the implementation of an otherwise reasonable security design.

The Microsoft PR talks about "strong encryption" in Passport to provide one-password access to web communities. Then again, it also talks about using Passport technologies for an electronic wallet for secure e-commerce. It sounds like they are calling anything that might sound related "Passport" and generating lots of PR about how great it will be, whatever it is.

Maybe login=ANYID&password=eh is just the version 1.0 implementation of a system that someday will use real passwords.

I'm really curious what the designers really had in mind and how it ended up in this snafu.

There are responses to this message:

This page was archived on 6/13/2001; 4:52:16 PM.

© Copyright 1998-2001 UserLand Software, Inc.