|
|
Joyce Winslow
jwins@oregon.uoregon.edu
Last fall, we reported the vulnerability of Microsoft's Passport authentication
program to Trojan Horse viruses (see "Watch
Out for Microsoft Passport Security Woes,")
Now identity theft has been added to the list of Passport liabilities by Seattle
researcher Marc Slemko. Slemko pinpointed the weakness by devising a Hotmail
exploit that steals Passport authentication cookies and impersonates the victim
(for details, see http://alive.znep.com/~marcs/passport/)
Passport is still used primarily for Hotmail accounts and customizations on other Microsoft sites, so relatively few UO users are currently at risk. However, as Slemko points out, if Passport authentication becomes more widely used, the security implications (i.e., having a single identity for a user across the Internet) are far more grave.