ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Online business Toolkit

Microsoft plugs Passport hole

Published: 03 Jul 2003 08:03 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft has fixed a security flaw in its Passport online-identity system after the vulnerability was revealed by a Latin American hacker.

The flaw, which affects a small number of accounts created before August 1999, hasn't been used to compromise any data, said Jeff Jones, senior director of trustworthy computing for Microsoft.

"When we first heard about this, we tried to confirm the issue on eight or 10 accounts and couldn't," he said. "There is a very small subset of accounts that were created prior to four years ago that are affected."

Hotmail accounts that don't have a secret question set for password recovery were vulnerable to being taken over by an attacker. It's the second time in two months that a security issue has been found in Passport's password recover mechanism.

Jones said the company repaired the data error that led to the flaw and is monitoring the accounts that could be affected by the issue.

"They have done a search of all those accounts and have identified no malicious exploits," he said.

The flaw was briefly described in a posting by an independent security consultant who used the name "Victor Manuel Alvarez Castro" on the Insecure.org security mailing list.

"An account for which no secret password exists can be modified by other users by entering a new password," Castro wrote on June 27. "It's easily identifiable because the Secret Question field will be titled like 'notset.'" If you leave the "Secret Question" in blank and then set a new password for the account, you can effectively gain control of the account, he explained.

The flaw comes as a new California law goes into effect that would require companies to give notice to their customers when unencrypted personal information may have been compromised. In this case, Microsoft probably won't have to notify any users, because the company has evidence that accounts weren't tampered with.

Companies that do not comply with the California law open themselves up to civil lawsuits.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
103 out of 184 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Online business



Company/Topic Alerts

Create a new alert from the list below:








Related Jobs

Senior Global Account Manager, 65,000 - 75,000 (95,000 OTE)

Account Director, for major international force in IT services, London

Commercial Support Manager 35k - 45k - Coventry

Sentry Posts Blog

Nasa and the virus

Yesterday the BBC ran a story about a computer virus making it into orbit, which I read with incredulity. OK, it's a nice silly season story on the surface, but what really got me was... More

3 comments

Customer data found on eBay server hig...

The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/...m).... More

Post a comment

Does it matter if you are an aardvark...

In spam terms, apparently it does. According to Cambridge University security expert Richard Clayton, if your email address is aardvark at animal.net, you are more likely to receive... More

5 comments