Nelson's Weblog: tech / bad / passportHackedAgain


Mastodon @nelson@tech.lgbt Linkblog Wed 2024-11-20 Francis Williams painting The Platonic Blow Tue 2024-11-19 EmojiRain Bantam Tools Artframe Using OSM vector tiles Starlink sold out Fine-tuning LLMs at home Bluesky starter packs Mon 2024-11-18 Carbon Mapper Sun 2024-11-17 Love, Acceptance, and Screeching Modems Voyager 1 backup radio Gay Tblisi Usenet feed growth Methane mapping City99 console font Sat 2024-11-16 Lorraine Gervais Sill Justin's Linklog Thune 2004 blog campaign Fri 2024-11-15 Open source garage door Search Archives 2023 12 11 10 09 08 07 06 05 04 03 02 01 2022 12 11 10 09 08 07 06 05 04 03 02 01 2021 12 11 10 09 08 07 06 05 04 03 02 01 2020 12 11 10 09 08 07 06 05 04 03 02 01 2019 12 11 10 09 08 07 06 05 04 03 02 01 2018 12 11 10 09 08 07 06 05 04 03 02 01 2017 12 11 10 09 08 07 06 05 04 03 02 01 2016 12 11 10 09 08 07 06 05 04 03 02 01 2015 12 11 10 09 08 07 06 05 04 03 02 01 2014 12 11 10 09 08 07 06 05 04 03 02 01 2013 12 11 10 09 08 07 06 05 04 03 02 01 2012 12 11 10 09 08 07 06 05 04 03 02 01 2011 12 11 10 09 08 07 06 05 04 03 02 01 2010 12 11 10 09 08 07 06 05 04 03 02 01 2009 12 11 10 09 08 07 06 05 04 03 02 01 2008 12 11 10 09 08 07 06 05 04 03 02 01 2007 12 11 10 09 08 07 06 05 04 03 02 01 2006 12 11 10 09 08 07 06 05 04 03 02 01 2005 12 11 10 09 08 07 06 05 04 03 02 01 2004 12 11 10 09 08 07 06 05 04 03 02 01 2003 12 11 10 09 08 07 06 05 04 03 02 01 2002 12 11 10 09 08 07 06 05 04 03 02 01 2001 12 11 10 09 08 07 One good site MDN Nelson Minar nelson@monkey.org Blog licensed under a Creative Commons License		Microsoft Passport hacked badly Another serious hack of Microsoft Passport. The flaw allowed a single Web address--or URL--to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account. Bugs like this are incredibly common, usually not worth reporting. But Passport is different. Passport wants to be the single trusted repository of personal data, all your eggs in one basket. I worry they don't have a fundamental systems security model to make that safe. This isn't the first time Passport has been hacked, either. tech • bad 2003-05-08 15:37 Z Nelson's Weblog • tech • bad