|
|
Passport, the authentication program used by millions of people logging into Hotmail accounts, unfortunately puts many Windows users at risk by requiring the use of a single username and password for all participating websites. An added vulnerability is that redirection of browsers to Microsoft's Passport server is not protected by Secure Sockets Layer (SSL), making it easy for user account numbers and other sensitive information to be intercepted.
One of Passport's most potentially damaging flaws is that Windows 95/98 and Windows ME expose usernames, passwords, and phone numbers used to access the Internet service provider for as long as10 minutes, making them vulnerable to theft or infection by a Trojan Horse virus. Windows NT, 2000, and XP guard against this, but there are still millions of Windows 95/98 and ME users who are wide open to attack.
Researchers at AT&T Labs detected these vulnerabilities during testing with the free "bugtoaster" utility, which may be downloaded from http://www.bugtoaster.com For an exhaustive report of Passport's potential problems, see the AT&T Labs white paper at http://www.avirubin.com/passport.html