Security weaknesses in the Passport Security Model

Posted on April 03, 2002

in Commentary & Society

by Matt Liotta (DevilM)

Rated 3.73 (Ratings: 8) (Add your rating)

Want more?

More articles in Commentary & Society
More articles by DevilM

Matt Liotta

Member info | Full bio

User since: March 11, 2002

Last login: March 11, 2002

Articles written: 6

By now most people are familiar with Microsoft Passport since it has been around for a while. It also helps that Microsoft owns Hotmail and has forced all of its users to be Passport users as well. However, this isn't an article on how to hack Microsoft Passport so you can read other people's juicy Hotmail accounts. No, this is an article on how to hack the Passport security model, which is used by several other vendors. I am simply focusing on Microsoft since Passport is the most widely used.

Hacking Passport is rather hard, but its security model just plain stinks, so we are going to hack that instead. This article will show you how to build a very simple program to collect Passport user logins and passwords. This program will be web-based, so it will be easy for millions of Passport users to well… use. However, it will become painfully obvious to the intended readers of this article that the real trick will be convincing people to actually use this program. We will then engage in a bit of social engineering and learn how to get Passport users to use our little program.

Before getting started lets define some ideas, so we are on the same page. The first idea to define is that of hacking. When this author hacks, he is attempting to find clever solutions to complex problems. This is the more traditional definition of hacking used by geeks everywhere. However, there is another definition of hacking used by the media and many uninformed people. They define hacking as the attempt to break into something illegally. We won't be doing that in this article. Although, if you use the techniques described in this article and do obtain Passport user logins and passwords for the purpose of accessing accounts that don't belong to you, then you are of course fitting into the latter definition of hacking I offered earlier and of course committing a crime; maybe several. You have been warned.

Next up is the security model idea, which is vague and generic, so I won't define it. However, if we are going to hack it, we need to know what it is. In this case, the Passport security model refers directly to the problem Passport attempts to solve — centralized authentication for heterogeneous applications a.k.a. single sign-on (SSO). It has long been the dream of many to have the ability to log in once and have every web site know whom you are without needed to log in at each web site. Passport offers a solution to this problem. As more and more web sites switch over to Passport for their authentication the easier it will get for consumers. In addition, the companies who implement Passport get all the advantages that are listed on this web page. Although, lets not forget that above all others, Microsoft benefits most. So if everyone benefits including consumers, why am I against it? Well, no one has a good answer for what happens when someone steals a consumer's Passport. Think about, if John Doe has a Passport account that will get him into x number of sites with a single log in and his Passport is stolen. Then the person who obtains his Passport can now log in to all those sites as well.

Now we all know that Microsoft is an expert at getting consumers to do what it wants. Currently it wants among other things for consumers to use Passport. Thus, it will only be a matter of time before I as a consumer will be forced to have a Passport account as well. Actually, I already have a Passport account, as one of the projects at my former job required it. However, I don't need that Passport to do shopping and I don't relish the thought of that changing, so let's poke some holes in the security and see what happens.

Our first step is to create a program to capture Passport account information. The easiest way to do this is to create an interactive web form that looks like a Passport login form. This can be done with a variety of languages rather easily. Just download the HTML source to Passport's login page and change the form action attribute to point towards your logging script. Now mind you, the Passport login page is copyrighted, so it is illegal to do this, but hey I pointed that out earlier. The server side script you just created needs to log the user and password information that gets submitted by the user and then repost that form data without change to where the original form action attribute pointed. You can log the data into a file, a database, or even email it to yourself. The Passport server will then send a redirect that you will need to forward on to the user's browser, so that the user will be logged into whatever web site they thought they were logging into.

As you can see the above is rather easy to do. However, it doesn't seem all that clever and there is of course the problem of getting the user to use your web form on your server instead of the one he is supposed to. That problem requires a clever solution.

What I am going to explain now is known as a semantic attack. We need the user to think she is logging into the correct place. For almost all users on the Internet, there are two basic ways to determine what site they are looking at. The first and most obvious to look at is the rendered page. If you can produce a web page that makes the user think he is looking at the Passport login page than most of the time your done. However, users also look at the URL in the browser address bar as an indicator of where they are. Luckily for us most URLs are quite long these days and include lots of query parameters. This is good, but we are going to need a long fake URL in order to hide the real URL. What do I mean by this? Let's look at an example. Below is the URL we want the user to think she is connected to.

http://www.somecompany.foo/somedirectory/somefile

However, we actually want the user to connect to the following URL.

http://i.am.stealing.your.password/somefile

To pull that off we use the following URL.

http://www.somecompany.foo/somedirectory/somefile:somejunktomaketheurllonger
@i.am.stealing.your.password/somefile

The URL will scroll of the screen and the user will only see the left side of it. This will give the impression that they are connected to the correct URL. However, the correct URL will be sent to our password stealing script in the form of web server CGI variable.

Now to actually make use of this attack we still need the user to use our URL instead of the one the Passport server provides. The hardest, but most effective way to do this is to break into a corporate proxy and have it change the URLs on the fly. Again, that is illegal, so you shouldn't do it. However, there is a much simpler way, but not as effective. To do this you will need to know the person's email address. Once you have that you create an email asking to user to update their Passport account information by clicking on a URL that you have conveniently provided in the email for them. As most IT managers will confess, users will follow the instructions in the email and click away.

This kind of attack can really be done on any web application that has a login form. However, when it only takes stealing a password once to access hundreds of sites the danger is too great. There are some ways to slow down this sort of attack, but no way to really stop it. That is unless we give up on username and passwords altogether.

Matt Liotta started his development career at the age of twelve by building C applications for faculty at Emory University. He built his first web page soon after the release of Mosaic 1.0. Excited by early web applications, Matt saw the potential to replace legacy client server applications. At Emory University he built an enterprise calendaring system, the faculty poster project, a Y2K compliance tracking application, and a prototype for an electronic research administration system.

Since then he worked with an early ASP, Cignify, to build their transaction processing system for payroll time data. For this project, Matt created a message queuing system to connect significant bodies of code in C++ and VB with the main application server. He also built a code distribution system for Consumer Financial Networks, as well as the first online account management system for Grizzard Communications. Matt did consulting around San Francisco for companies such as Williams Sonoma and Yipes Communications.

Soon after, he built gMoney's Group Transaction System using an innovative XML messaging architecture for ColdFusion that matches conceptually with the now popular web services paradigm. He also wrote a C++ knapsack algorithm to realize nearly a 20-fold improvement over a similar approach written entirely in CFML. Later at TeamToolz, he designed a highly secure and scalable network architecture for ColdFusion to support N-tier transport agnostic distributed applications. He then went on to implement a cutting-edge content management system for DevX. He is now President & CEO of Montara Software, which he recently founded.

Matt is also a frequent speaker on web architecture:

Moving Legacy Applications to the Web (Emory Web Developers Users Group, Atlanta --Feb, 98)
The Benefits of Web-based Enterprise Calendaring (Emory Web Developers Users Group, Atlanta -- Aug, 98)
Monitoring and Managing Services Remotely Using TAPI (Atlanta Visual Basic Users Group, Atlanta -- Nov, 99)
Scalable, Extensible Cold Fusion Architecture (Bay Area ColdFusion Users� Group, San Francisco; Aug, 00)
Scalable, Extensible Cold Fusion Architecture II (CF_Scale Conference, Washington, D.C. -- Nov, 00)
Cold Fusion Scalability Panel (CF_Scale Conference, Washington D.C. -- Nov, 00)
Introducing CF Espresso (including white paper) (CF_South Conference, Orlando -- Feb, 01)
Utilizing Reverse Proxies (Web Services World, San Jose -- Apr, 01)
Cold Fusion on Linux (A CF Odyssey Conference, Washington, D.C. -- Jun 01)
Architecting Web Services (Web Show 2001, San Francisco -- Sep, 01)
Code Techniques in MX Panel (Bay Area ColdFusion Users' Group, San Francisco -- Jul, 02)
ColdFusion Cruise, May, 03

9 comments on this article. Log in to add your comment | Rate this article:

superb

Submitted by skunk on April 3, 2002 - 13:47.

Very simple, but very effective - I've been arguing this about Passport for months but I've never seen it explained so well. The extra details (making the URL so long that the @ bit is hidden through scrolling out of the URL bar, hacking a corporate proxy) are the icing on the cake. Of course, any e-mails asking users to update their account should be sent as HTML with a ncie safe looking link text to further obscure the link ;)

Is this different?

Submitted by jedimaster on April 3, 2002 - 16:14.

Matt, is this different from hacking any other site, like Hotmail, or whatever? Yes, I get the idea that stealing someones passport account gives you access to N sites, not 1, but, is seems a bit unfair to say this is only a Passport issue. I'm probably just being anal.

RE: Is this different?

Submitted by DevilM on April 3, 2002 - 16:24.

Yes, you are being anal and yes, you are mostly correct. However, being anal myself, I never wrote this was a problem with Passport itself. It is a problem with Passport's security model, which many applications use. However, Hotmail would be a bad example as it uses Passport. :)

That's the point

Submitted by snekse on April 3, 2002 - 16:39.

What other technology really lets you get into n sites with one Username and Password. There really does need to be an added layer of security. I'm not sure what Matt has in mind, because I have a feeling that if you were able to steal someone's username and password, even without passport, you'd still be able to get into a lot of applications. How many times have we seen someone use the same user name and password on like 10 different sites? I admit that I do it on occassion. If I register for a site that I don't think I'm going to use very often and the information isn't sensitive, I'll use my default password. The matter is, really, that there is NO good way to protect from this unless an additional password is required for each site and that password is checked against all of your other passwords to make sure it isn't already being used or some crazy thing like that. Think about it, how else can you truely verify who is trying to access your system? Can't use bio-metrics, we've all seen "Demolition Man" :-) You can't reliably use IP. At this time there is little else we can use other then Username and Password which is inherently unsecure for precisely the reason Matt stated, Social Engineering. Passport could be espesically dangerous for unsavvy users that are new to the internet or just plain dumb. You hear all the time on the news how old people are getting swindled out of their money. Imagine if you had access to personal information and all of their passport sites. Very dangerous indeed. -Derek

Can do this with any site

Submitted by themadman on April 3, 2002 - 22:41.

Jedimaster,

This technique could actually be used against other Web sites too. I could carry out that spoof with any URL. For instance, I could send an email to a gullible person with a URL like:

http://www.evolt.org/articledisplay.cfm? articleid=821&categoryid=15&loggedin=no&sessionid=g4a3251346i@www.hackersite.com

That URL actually goes to www.hackersite.com. And if www.hackersite.com had mirrored the evolt.org look and feel, I could trick the victim into "logging in" with his evolt.org username and password, and capture it for my use.

Right...

Submitted by jedimaster on April 4, 2002 - 04:58.

TheAdman - that was my point. I thought it was a bit unair to say this was a Passport issue and not just a general security issue. Yes, the author makes this point, but the title points out Passport. Again though, I'm being anal, and the issue in general REALLY needs this kind of attention.

The right way to do the same thing.

Submitted by androse on April 5, 2002 - 04:56.

So what is the best way to implement SSO ? Personnaly, i work on a mac, and use the 'Keychain' feature that was introduced with macOS9. Any application can call the (system-level) 'keychain', you are prompted with a dialog asking if application XYZ can access the information that it stored in your keychain, then you use a master password to unlock the keychain. All the data is stored in a encrypted file on disk.

Right now Internet Explorer 5.1 doesn't use the keychain web authentication. I don't know about the other browsers. Now i'm thinking of getting on of those tiny USB storage devices, and put my 'keychain' information on it, and put it in my wallet. That process seems pretty secure to me : sit in front of a computer, plug your USB 'key' in, and use only your master password.

running sites

Submitted by chickerino on April 5, 2002 - 08:19.

I think anyone who runs sites should have the responsibility of keeping their clients username/password information confidential and private.

I work for a web development company and we run 50 or so sites where users have profiles. People generally use the same passwords for every site they are a member of so effectively we have all of the usernames, passwords and email addresses for all of our users for most, if not all of the websites they are members of. The is especially bad since many users email addresses are for webmail accounts - hotmail or yahoomail of which we could probably gain access to more than 50%!

I think rather than just being a problem for Microsoft passport, it's a problem for all sites that use logins.

Very Nice Indeed

Submitted by The8thElement on April 5, 2003 - 07:21.

I tried it out but did it another way, I setup a fowarding email system with Bravenet.com then used "Msn Gaming Zone's Login Page." Then I saved images and the html file(customized to my liking and need ofcourse) to my groups sever and then went to shorturl.com and setup a account and masked my url and wanted the "users" or "victims" whatever sounds nicer(lol) to see. In Msn Gaming Zone there are Mplus members aka sysop aka Online volunteers that are suppose to keep zone fair and just( most of them are corrupt and abuse their tools ). But anyways i named the masked url "http://www.mplus-central.filetap.com/" Then I give some bullshit advertisement for it like mplus-central crack and name some mplus members( +billybob etc.) and give them( the user/victim ) bullshit info on those mplus members & well when they try to login, it brings up another page that is another zone login page and it says crap like your password is incorrect please try again( it did work and it sends me the email with their IP/the date & time/their email & pass/Also the cookie ). Its worked pretty good, Thank you for another way to do it and also giving me a better understanding about it. Excuse my poor grammar and spelling, I just recently awoke from my sleep. G'day everyone thanks again :)

Start of page header

Other Fine Evolt.org Sites

Navigation Starts

Article Categories

Highest rated articles

Submit

Recent comments

Main Page Content