Word 2007 Blog Feature’s Password Handling

I knew about the blog feature – hard not to notice when every time you go to make a new document, it gives you the option of making a blog post. I’d known about it for quite a while, as I was part of the group reviewing the threat model. Last night was the first time I’d used it – really, really easy to set up and use, and it sure is a lot nicer editing experience using Word than on the web. It also lets you do nice stuff like manage categories, accounts, etc. Now that I’ve actually used it myself, this is a really cool feature. The ribbon even cuts back to what makes sense for a blog post.

So where’s the password go? All blog data is stored in HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Blog\Accounts, and you’ll notice that the password is a fairly large binary blob. That’s because they did the right thing, and used CryptProtectData to store it. I was a little worried about this, and asked the team how the password was protected on the wire.

It turns out the password is NOT protected on the wire at all! We come out with a completely new protocol this century, and we move passwords in plain-text across the wire??? I think the only ones that are protected in the least use SSL/TLS, but very few of the providers do this. Just what ARE people thinking?


A clarification – when I said “we” came up with a new protocol, that would not be “we” as in Microsoft. It’s actually an issue with the MetaWeblog API (maybe others), and the Atom Publishing Protocol is supposed to be better.

I’m just amazed when new protocols are created without taking into account security. I can understand rsh and telnet being insecure – the Internet was a small village then. But doing that now? Another issue that rankles me – USB and firewire both don’t really help security.

Comments (3)

  1. Ouch! Do you know if Windows Live Writer uses the same technique???


    Blake Handler

    Microsoft MVP

    [ dcl ] Nope, no idea.

  2. orcmid says:

    The problem isn’t with Word or Live Writer, it is with the protocols that the different blog services use.  If you use one of those protocols between an authoring tool and the blog service (even a privately-hosted blog), that’s what you get.

    I just went to http://www2.blogger.com and logged into my “New Blogger” account via that page.  I saw an https URL fly by, but otherwise, I would have to presume that my ID and password were transmitted in the clear.  I did not see any indication of SSL on the home page itself.

    The URL for the Blogger API is pure port 80 without SSL.  I might have my settings wrong, and I’ll try my next BlogJet post with SSL checked and we’ll see what happens.