- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
Microsoft Tuesday fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address.
The false e-mail address could then be used as an ID for Microsoft's Live Messenger program, which could trick a user into thinking they are chatting with someone who is not whom they appear to be, such as steveballmer@microsoft.nl.
Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw's impact.
It's unclear how long the flaw may have existed or how many accounts with deceptive instant messenger IDs could have been created. Duindam said a fake ID he created was still active Tuesday morning.
If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).
However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning.
"It's heaven for scammers," Duindam said via instant message on Tuesday.
An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. For example, victims could receive an instant message from someone who appears to have their boss's e-mail address.
At that point, victims could be tricked into thinking they are communicating with their boss. The hacker could then send a link to a malicious Word document, for example, that could install a keystroke logging program on a machine.
"In one swoop, you can become the boss, or human resources or accounts," wrote Chris Boyd, senior research manager with FaceTime Communications Inc., via instant message.
Boyd said if the original spoofed accounts are still active, Microsoft should try to shut them down as soon as possible. But it could be difficult, especially if Microsoft was not aware of the flaw and can't track the spoofed accounts.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (3)
Solution to fake accountsBy Banjo on June 22, 2007, 3:52 amSending a verification e-mail might seem a solutuion.... But lets consider a scenario whereby a scammer uses someone elses e-mail address whom unknowing of the fact...
Reply | Read entire comment
See Microsoft Subnet forBy Micronet on June 20, 2007, 10:08 amSee Microsoft Subnet for more Microsoft-related news, blogs, security alerts, technical group. Some security gurus are looking at Microsoft's efforts to patch...
Reply | Read entire comment
How Microsoft can figure out spoofed e-mail accountsBy Anonymous on June 20, 2007, 10:00 amAll Microsoft has to do is send an email to all registered users and if you do not respond to the email, it is a spoofed account. Then it can be shut down or have...
Reply | Read entire comment
View all comments