On Thu, 21 Jun 2007 05:52:05 +0100, [H]omer wrote:
[..]
>> http://www.cio.com/article/120100/
Microsoft_Flaw_Opened_Door_to_Scammers_Analysts_Say
>
> This is only the tip of the iceberg. There continues to be serious fraud
> committed against Live account holders, and Microsoft are apparently
> impotent in the face of this problem:
>
> http://slated.org/stolen_xbox_live_accounts
[...]
I doubt that the windows live id data itself has been cracked, it seems
more likely that all of the fraud cases involve a degree of human
engineering.
found through the wikipedia entry on windows live id:
"Microsoft Corp. Tuesday fixed a bug in its Windows Live ID registration
that let users deceptively register a false e-mail address."
Windows Live Bug Opened Door to Scammers
Though Microsoft fixed a bug in Windows Live that enabled spoofed user
accounts, it could still lead to fraud.
Jeremy Kirk, IDG News Service
Tuesday, June 19, 2007 9:00 AM PDT
ROFLMAO, that was never a bug, that was a feature. In order to not have
to listen to bitches about how hard it was to register, microsoft
designed it such that one could claim the windows live id
"bill@xxxxxxxxxxxxx" if bill hadn't yet registered, regardless of whose e-
mail it really was.
Apparently the guy who discovered this flaw can be contacted in messenger
at mail@xxxxxxx, IIRC, although I wonder what will happen when the folks
at CNN reset the password for that live id. Or, maybe if the guy has the
account setup such that password resets go to his alternate e-mail
account, CNN can't get that windows live id back, without taking him to
court or something. I'm not positive, but I think that was how he
registered that live id to begin with. Can windows live id's be setup so
that the password reset will never go to the, err, e-mail address which,
err, "is" the live id?
(From experimentation, there's an option to have the password reset go to
either the alternate e-mail address or the live id one. Of course, if
you forgot what was entered for the alternate e-mail address and no
longer have access to the live id e-mail then you're SOL.)
Microsoft, in its infinite wisdom, disconnected the e-mail address from
the "live id," something which no mom-and-pop would do. If anyone can
find any sort of registration other than the "live id," whether it be
google or a mom-and-pop, which doesn't do e-mail registration, please do
give the details. Every other registration service, whether it's the NY
Times, or whatever, requires an e-mail confirmation; at least to my
knowledge. Only Microsoft does away with that complexity.
Now that Microsoft has had to admit that accounts are being hijacked,
it's a bug. Well, it's not a bug if it's intentional. A bug can only be
unintentional. It was expediency, Microsoft's hallmark.
I wonder how many calls the folks at passport.net get every day on this
topic: "uh, yeh, I registered a fake e-mail address, and would like the
password. Yes, it's my account..." Very penny wise and pound foolish on
Microsoft's part.
-Thufir
|
|
