SECURITY PROBLEM IN MSN MESSENGER AND PASSPORT!

TheMSsForum.com: The Microsoft Software Forum

I am a Microsoft MSDN subscriber and work in a small company with another
developer. The other developer (who I have worked with for 12 years and
trust completely) needed to download a software tool from the MSDN site
while I was otherwise occupied. Since my Passport Login is the only one
allowed to be used for MSDN downloads (for our company), I explicitly gave
him permission to use it for a download because the project had to be done
immediately.

A few days later, I logged into MSN Messenger (v6.2) automatically (it uses
the same Passport ID/PWD) and to my surprise the display name shown was that
of my co-worker!!!! HOW DID THAT HAPPEN?

Is MSN Messenger pulling private information from the computer a person logs
in on? No matter HOW it happened the incident is extremely disconcerting. I
bet that nefarious individuals could have a field day with this type of
thing. Something fishy is going on. I definitely don't trust Passport or MSN
Messenger anymore.
Any comments? Explanations?
Top

Re: SECURITY PROBLEM IN MSN MESSENGER AND PASSPORT! by Eric

Eric
Fri Apr 08 10:39:51 CDT 2005

Use a different passport for MSN Messenger. Passport is not meant to be
shared. I change the display name to what I want, so I am not sure if 7 puts
in your name or not. You could turn on archiving and hope he does not know
about it, see if he talks to your contacts. Make sure the option is turned
off to show part of your last conversation so he does not get tipped off.

--
Thank you,
Eric Vogel

"John Kotuby" <jkotuby@snet.net> wrote in message
news:ey$QScEPFHA.4000@TK2MSFTNGP15.phx.gbl...
>I am a Microsoft MSDN subscriber and work in a small company with another
>developer. The other developer (who I have worked with for 12 years and
>trust completely) needed to download a software tool from the MSDN site
>while I was otherwise occupied. Since my Passport Login is the only one
>allowed to be used for MSDN downloads (for our company), I explicitly gave
>him permission to use it for a download because the project had to be done
>immediately.
>
> A few days later, I logged into MSN Messenger (v6.2) automatically (it
> uses the same Passport ID/PWD) and to my surprise the display name shown
> was that of my co-worker!!!! HOW DID THAT HAPPEN?
>
> Is MSN Messenger pulling private information from the computer a person
> logs in on? No matter HOW it happened the incident is extremely
> disconcerting. I bet that nefarious individuals could have a field day
> with this type of thing. Something fishy is going on. I definitely don't
> trust Passport or MSN Messenger anymore.
> Any comments? Explanations?
>
>


Top

Re: SECURITY PROBLEM IN MSN MESSENGER AND PASSPORT! by Paul

Paul
Fri Apr 08 11:00:05 CDT 2005

Hello, John:
On Fri, 8 Apr 2005 10:27:17 -0400: you wrote...

JK> logs in on? No matter HOW it happened the incident is extremely
JK> disconcerting. I bet that nefarious individuals could have a field day
JK> with this type of thing. Something fishy is going on. I definitely
JK> don't trust Passport or MSN Messenger anymore.

The whole point of Passport is to provide a universal login (at least
amongst services that use Passport). By giving your password to another you
gave that person access to all services that are associated with that
Passport. You should change the password on that account. Start a seperate
Passport account and associate it with the MSDN subscription if you must
give out that password to others. Passport accounts are not and never were
designed to be shared. You put yourself and your information at risk by
doing so. Even sharing the MSDN Passport is dangerous. Suppose that someone
went in and changed the password on that account, then what would you do?
You need a better method of dealing with such problems. Passport accounts
are meant for individual, non-shared use.

Regards, Paul R. Sadowski [MVP].


Top

Re: SECURITY PROBLEM IN MSN MESSENGER AND PASSPORT! by John

John
Mon Apr 11 13:09:06 CDT 2005

Paul (and others)...

Thanks for the responses and warnings everybody. I have changed my password.
But I don't think you get the point. I still work with that Developer who is
also a friend. I told him about the fact that all the answers I got are
blaming HIM (and me indirectly) for the fact that the display name was
changed in my MSN Messenger. We both had a good laugh over that. He did NOT
change anything! The only thing we can think of is that because he used my
Passport on his machine (which had his name in it) that MSN Messenger
itself, through some chain of events, changed the display. Before you go
into an explanation on why that could never happen, it might be wise for
somebody at Microsoft who is involved in that product to take a closer look
at how that "could" happen. I am just alerting Microsoft to a possible
problem with the Passport system as related to MSN Messenger. I understand
for political and business reasons that Microsoft could not possibly admit
to such a problem. The parts of the puzzle are Passport, MSN Messenger,
MSDN, and the Windows XP Registry (and maybe more) and of course the people
involved.

Here's something to think about. When you begin to trust technology more
than people, it's time for you to step away from your technology career for
a while and take a deep breath. Has anyone seen the movie I Robot? I know it
wasn't like the book, which I read as a teenager 40 years ago, but it does
make a valid point.

Thanks....

"Paul R. Sadowski [MVP]" <sadowski@mvps.org> wrote in message
news:eZW$NQFPFHA.4052@TK2MSFTNGP12.phx.gbl...
> Hello, John:
> On Fri, 8 Apr 2005 10:27:17 -0400: you wrote...
>
> JK> logs in on? No matter HOW it happened the incident is extremely
> JK> disconcerting. I bet that nefarious individuals could have a field day
> JK> with this type of thing. Something fishy is going on. I definitely
> JK> don't trust Passport or MSN Messenger anymore.
>
> The whole point of Passport is to provide a universal login (at least
> amongst services that use Passport). By giving your password to another
> you gave that person access to all services that are associated with that
> Passport. You should change the password on that account. Start a seperate
> Passport account and associate it with the MSDN subscription if you must
> give out that password to others. Passport accounts are not and never were
> designed to be shared. You put yourself and your information at risk by
> doing so. Even sharing the MSDN Passport is dangerous. Suppose that
> someone went in and changed the password on that account, then what would
> you do? You need a better method of dealing with such problems. Passport
> accounts are meant for individual, non-shared use.
>
> Regards, Paul R. Sadowski [MVP].
>


Top