Yet another Hotmail exploit

Around 30 minutes brainstorming was all the time it took for programmer Marc Slemko to come up with a working concept exploit of Microsoft’s Passport authentication service.

The exploit revolves around how how Passport implements

Around 30 minutes brainstorming was all the time it took for programmer Marc Slemko to come up with a working concept exploit of Microsoft's Passport authentication service.

The exploit revolves around how how Passport implements authentication. Currently, the primary use of Passport is as a Hotmail login service. When Hotmail users sign in, they are usually doing so solely to read their email. However, when you sign in to Passport, you are authenticated and authorised with all of the Passport related features – including Microsoft Wallet. Thus, an exploit targeting any one service (such as Hotmail) can potentially affect every other service that uses Passport authentication.

A combination of weak HTML parsing rules used by Hotmail, as well as a few browser based vulnerabilities, allow anyone to gain access to a Hotmail users' Wallet details by sending the target user a specially crafted email. If the target user reads the email within 15 minutes of their original Hotmail login, the exploit will work and the target users' Credit Card details are exposed.

You can get more information on how this vulnerability (since fixed) works, and why this won't be the last Passport based exploit, from the white paper posted at Marc's site.