Microsoft Subnet An independent Microsoft community View more

Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords

A Wi-Fi authentication vulnerability in Windows Phone 8 allows attackers to remotely steal passwords if a user connects to a rogue Wi-Fi hotspot.

There's good news and bad news on the Microsoft front today.

Microsoft released a Skype for Windows Phone 8 update, which includes a "people list filter" to allow users to separate Skype and Windows Phone contacts, as well as Bing "upgrades" for Windows Phone 8.

The update for Bing includes 10 new "Instant Answers" like "traffic, flight status, exchange rates, word definitions and translations, and more." Instead of four search result categories, there are only three: Web, Images, and Videos. This means less swiping for users according to Bing product manager Alisher Saydalikhodjayev. "We're gonna put more info on your first search result screen." Both the new Images and Videos categories support infinite scrolling.

While that is good news, the Microsoft-issued security advisory about Windows Phone 8 Wi-Fi authentication protocol weaknesses is not. It's not actually a problem with the affected Windows Phone 8 or 7.8; instead the weakness is in "the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device."

Basically, if bad guys setup a rogue hotspot and the user connects to it, the attackers could steal user credentials like the password that logs the user into corporate networks.

The advisory states:

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Microsoft is reportedly unaware of any active attacks exploiting this weakness, but it is "monitoring the situation." There is no patch, but suggested mitigations include: turn off automatically connect to Wi-Fi hotspots, and configure Windows Phones to "require a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices."

But Microsoft did patch a gaping security hole that allowed an attacker to take over a user's Yammer account. Vulnerability Laboratory alerted Microsoft Security Response Center about the insecure implementation of OAuth in Microsoft's enterprise social network Yammer. Leaked OAuth access tokens could be found on public search engines. Vulnerability Laboratory reported:

The fact that search engine bots are able to capture live user session data / sensitive URL parameters in its cache which is public accessible by everyone should be noticed and fixed immediately. Also the fact that by requesting the access token directly in your browser through HTTPS, it simply logs you in the Yammer social network as the affected user is also alarming. This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk is critical. Exploitation of the vulnerability requires no user interaction and also no registered Yammer account is required. To capture the session the attacker can use a random empty session as form to request.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.