[Sigia-l] By design or by test?

Listera listera at rcn.com
Fri May 9 01:24:40 EDT 2003 

Microsoft acknowledged a security flaw Thursday in its popular Internet
Passport service that left 200 million consumer accounts vulnerable to
hackers and thieves -- an admission that could expose the company to a hefty
fine from U.S. regulators.
[...]
The incident was yet another embarrassing lapse for Microsoft and could
result in sanctions by the Federal Trade Commission and even a staggering
fine. The episode occurs in the midst of Microsoft's "trustworthy computing
initiative'' to improve security for all its software products and services.
[...]
The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by
typing a specific Web address that included the phrase "emailpwdreset,'' he
could seize any Passport account. He said he sent 10 e-mails to Microsoft
explaining his findings but never received a response. Sohn said the company
was investigating how it might have missed those reports.

Danka said he discovered the flaw after unknown hackers repeatedly hijacked
Passport accounts belonging to him and a friend. He said he found the
problem on Microsoft Web's site that controls Passport accounts about four
minutes after he began searching in earnest.

''It was so simple to do it. It shouldn't have been so simple,'' Danka told
The Associated Press in a telephone interview from Karachi. "Anyone could
have done this.'' 

Microsoft should have been rejecting such transmissions from anywhere
outside the company's own network, Sohn acknowledged. Microsoft shut down
the affected Web address late Wednesday night, just over one hour after
details were published on the Internet. Those filters were permanently set
in place early Thursday, Sohn said.

"We didn't validate the input,'' Sohn said. "We allowed somebody external to
do something only the system itself should be doing. Somebody plumbed around
... and figured out they could do this.''

Microsoft Admits Passport Security Flaw
<http://www.nytimes.com/aponline/technology/AP-Microsoft-Hackers.html>

You just can't make up stuff like this. It's beyond Security Design 101. If
the level of commitment and foresight *while* designing software is this
low, there just isn't any amount testing that can expose the full gamut of
flaws that will surely ensue. So yes, first get yourself 200 million captive
users, test often and test again on Tuesdays. What a racket!

Ziya
Nullius in Verba

More information about the Sigia-l mailing list