ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Online business Toolkit

Microsoft plugs Passport hole

Published: 03 Jul 2003 08:03 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft has fixed a security flaw in its Passport online-identity system after the vulnerability was revealed by a Latin American hacker.

The flaw, which affects a small number of accounts created before August 1999, hasn't been used to compromise any data, said Jeff Jones, senior director of trustworthy computing for Microsoft.

"When we first heard about this, we tried to confirm the issue on eight or 10 accounts and couldn't," he said. "There is a very small subset of accounts that were created prior to four years ago that are affected."

Hotmail accounts that don't have a secret question set for password recovery were vulnerable to being taken over by an attacker. It's the second time in two months that a security issue has been found in Passport's password recover mechanism.

Jones said the company repaired the data error that led to the flaw and is monitoring the accounts that could be affected by the issue.

"They have done a search of all those accounts and have identified no malicious exploits," he said.

The flaw was briefly described in a posting by an independent security consultant who used the name "Victor Manuel Alvarez Castro" on the Insecure.org security mailing list.

"An account for which no secret password exists can be modified by other users by entering a new password," Castro wrote on June 27. "It's easily identifiable because the Secret Question field will be titled like 'notset.'" If you leave the "Secret Question" in blank and then set a new password for the account, you can effectively gain control of the account, he explained.

The flaw comes as a new California law goes into effect that would require companies to give notice to their customers when unencrypted personal information may have been compromised. In this case, Microsoft probably won't have to notify any users, because the company has evidence that accounts weren't tampered with.

Companies that do not comply with the California law open themselves up to civil lawsuits.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
103 out of 184 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Online business


Company/Topic Alerts

Create a new alert from the list below:








Related Jobs

Client Service Representative - Future Opportunities in Citi

Senior Account Manager Information providers, Canary Wharf, London

High Touch Account Manager

Sentry Posts Blog

Toshiba touts Quantum Key Distribution

Toshiba research scientists have developed a method of distributing quantum keys more efficiently, the company has claimed in a statement: "[Quantum Key Distribution -- ] QKD --... More

Post a comment

Virtual Teams: Small Business Innovati...

Virtual Teams: Small Business Innovation Author: Eric Everson, Founder – MyMobiSafe.com As the founder of MyMobiSafe.com, I’ve found that because of our presence in the industry... More

Post a comment

Mobile Security and Innovation: An Ope...

Mobile Security and Innovation: An Open Case Author: Eric Everson, Founder MyMobiSafe.com The times are changing in the mobile industry as “big wireless” in the US Markets are calling... More

Post a comment