Read your boss's CV online, thanks to Microsoft...

[InfoSec News <isn () c4i org>]

Forwarded from: Elyn Wollensky <elyn () consect com>

http://www.silicon.com/a48973

Wednesday 7th November 2001   

Deepening Microsoft's increasingly bad reputation for IT security,
silicon.com has discovered another loophole in a Microsoft website
designed for qualified Microsoft systems professionals.

The loophole allows anyone who has access to a Microsoft Certified
Professional's MCP number, acquired on passing the exam, to enter that
person's MCP site, which includes personal details such as
qualifications.

The flaw was highlighted to silicon.com by a reader who used the hole
to discover his boss wasn't as qualified as he claimed to be. The
reader, who wished to remain anonymous, logged onto the site and
discovered his boss had not passed all the exams he claimed he had.
The silicon.com reader said he had received no response from Microsoft
when he told them of the hole.

Microsoft has so far declined to provide a representative to answer
questions about the issue.

The loophole is in the registration for the secure site. To create a
new user ID, all MCP's have to do is type in their MCP number and
their surname in capitals. On the strength of this validation an MCP
then just invents a personal user name and password which is used to
access the site from then on.

However the problem is that a user is not limited to just one user ID
for his or her MCP number. This means that at any point in the future
someone using his or her number could create a new ID, with access to
all of the person's private details.

This is a problem because MCPs are not encouraged to keep their MCP
number private, like say a bank PIN card. Indeed every MCP has a card
printed with the number on, used to prove their qualified status, and
many put the number on their business card.

The MCP site is used by Microsoft Certified Professionals to get
details of how to apply for further exams, and includes cut-price
offers on training.

Dr Neil Barrett, technical director with security consultant IRM said
the problem was definitely a security breach: "This is undoubtedly
information on display here that counts as personal data under the
Data Protection Act, and should be looked after accordingly.

"This is just another example of the attitude that Microsoft seemingly
has toward security - exemplified by the hole in Passport discovered
over the weekend - which is either impossibly nave or simply
negligent."

Microsoft has garnered increasing criticism over its software security
in recent months. User dissatisfaction was exemplified last week when
online Bank Egg revealed it was using Microsoft software to
authenticate its customers, prompting a wave of protests from
silicon.com readers.

User fears over Passport were realised over the weekend when Microsoft
admitted the platform had been hacked and security compromised.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.