Sign in
Microsoft.com
 
Microsoft
 
 
 

none
Investigation: Live ID on bing.com

 > 

    General discussion

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    To see labeled trace (links to see raw traffic is in benign trace)

    benign trace                               scenario (A)                        scenario (B)                      scenario (C)

    Understanding of the trace:

    1. IdP (live.com) delivers the secret token t to target website (bing.com). The goal of the attacker should be to steal t at certain point.
    2. wreply is the return URL





    Tuesday, February 07, 2012 7:43 PM
    |
    Owner

All replies

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    id in BRM1 should be the identity for replying party website. For example, for bing.com, it is 264960; for msn.com, it is 1184; and for hotmail.com, it is 64855.

    lc in BRM1 is a constant. It is always 1033.

    ct in BRM1 should be timestamp: the value in raw trace1 < trace2 < trace3, and the time of capturing of the trace is trace1 < trace2 < trace3, meaning that the value is increasing according to time.
    Tuesday, February 07, 2012 10:54 PM
    |
    Owner