ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > Internet

Online business Toolkit

Microsoft stamps out Passport flaw

Published: 09 May 2003 08:29 BST

Microsoft security and product teams worked overnight to fix a flaw in the password reset feature of the Passport identity service that threatened to compromise millions of accounts.

By 8 a.m. (PST) on Thursday, the company had replaced the service with a more secure version, one that should have been there in the first place, said Adam Sohn, product manager for Microsoft's Passport team.

"It was something that slipped through the reviews," he said. Sohn added that the feature had been around since September 2002 and that Microsoft is currently investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.

The issue is perhaps the largest vulnerability known to have slipped through Microsoft's security reviews since the company began its Trustworthy Computing Initiative aimed at, among other things, reducing software vulnerabilities.

Microsoft has touted Passport as a technological centrepiece in its Web services future. Passport accounts are central repositories for a person's online data, including personal information such as birthdays, credit card numbers and shipping addresses. The accounts are pitched as a single key for a customer's accounts, allowing for easier purchasing of items online. Microsoft estimates that there are 200 million active Passport accounts.

The security issue, apparently discovered by a Pakistani security consultant and student, became public knowledge late on Wednesday night after the student sent details to the Full-Disclosure security mailing list.

"It is so simple that it is funny," wrote the student, who used the name Muhammad Faisal Rauf Danka. He claimed to have tried to contact Microsoft through several different email accounts, including security@microsoft.com.

Sohn said that account is the general email account for Microsoft's corporate security teams, not its product security. The email eventually was forwarded to the Microsoft Security Response Center, but not before the company had already heard of the issue from CNET News.com.

"You live and learn," Sohn said. "We will obviously take a hard look to make sure that if something is sent through the nonstandard channels, and it is real, we are all over it."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.