Investigation: Live ID on bing.com RRS feed

  • General discussion

  • To see labeled trace (links to see raw traffic is in benign trace)

    benign trace                               scenario (A)                        scenario (B)                      scenario (C)

    Understanding of the trace:

    1. IdP (live.com) delivers the secret token t to target website (bing.com). The goal of the attacker should be to steal t at certain point.
    2. wreply is the return URL

    • Edited by Rui Wang ISRC Tuesday, February 7, 2012 10:28 PM
    • Changed type Rui Wang ISRC Tuesday, February 14, 2012 5:35 PM wrong type
    • Edited by cs0317 Friday, March 30, 2012 5:55 PM ....
    Tuesday, February 7, 2012 7:43 PM

All replies

  • id in BRM1 should be the identity for replying party website. For example, for bing.com, it is 264960; for msn.com, it is 1184; and for hotmail.com, it is 64855.

    lc in BRM1 is a constant. It is always 1033.

    ct in BRM1 should be timestamp: the value in raw trace1 < trace2 < trace3, and the time of capturing of the trace is trace1 < trace2 < trace3, meaning that the value is increasing according to time.
    Tuesday, February 7, 2012 10:54 PM