Microsoft's Passport authentication program, which is used by tens of millions of people to log on to Hotmail accounts every day, is trivially easy for a Trojan horse to compromise on Windows 9x and Me systems, according to developers.
A breach can expose a user's financial information, including credit card numbers that were typed in by a user and stored on Passport's central Web server.
Describing how easily a worm can get access, Bob Puckett, CEO of Bugtoaster.com, in Hillsboro, Oregon, says, "If the user uses MSN, it will get their Passport ID, password, and the phone number to dial their ISP." Because a person's email address and password are used to sign on to the Passport server -- where account numbers are held -- an unscrupulous person at an ISP could easily steal credit card numbers, experts say.
The average PC user has a bad habit of choosing the same user name and password to log on to several different websites. Passport, which will be bundled into the forthcoming Windows XP, makes this problem far more serious by enforcing a single user name and password for all participating websites. The service will be all but mandatory on XP, which tells users, "You need a Passport to use Windows XP internet communications features ... and to access net-enabled features."
The specific flaw is that Windows 9x and Windows Me allow any application to "see" the user name, password, and phone number used to access a dial-up ISP, according to Dave Thomas, Bugtoaster's CTO.
"For 10 minutes after you place a call," he says, "that info is visible in memory." Windows NT, 2000, and XP guard against this, but that leaves a few hundred million 9x-based systems at risk.
With email viruses and worms silently planting Trojan horse programs on millions of PCs, all the data a rogue programmer needs is out in the open. Most Windows users select the same password for Passport as they would do for any other service.
This newly discovered hole is distinct from the other problems with Passport, such as those identified in a white paper by researchers at AT&T Labs. To name only one, redirection of browsers to Microsoft's Passport server is not protected by SSL (Secure Sockets Layer). This makes it easy for an ISP employee to intercept account numbers. AT&T scientist Avi Rubin told the San Jose Mercury News on August 14 that Passport's problems "are fundamental things that can't really be fixed."
Microsoft did not reply to requests for comment by press time. I'll continue this subject next week.
Puckett and Thomas identified the problem using the free utility called Bugtoaster. Go to their website and download the program yourself, which helps isolate the causes of Windows crashes. Any comments sent to me by September 18 will be considered for publication in my October 1 column.
Brian Livingston's latest book is Windows Me Secrets (Hungry Minds). Send tips to firstname.lastname@example.org.