ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Online business Toolkit

Microsoft stamps out Passport flaw

Published: 09 May 2003 08:29 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft security and product teams worked overnight to fix a flaw in the password reset feature of the Passport identity service that threatened to compromise millions of accounts.

By 8 a.m. (PST) on Thursday, the company had replaced the service with a more secure version, one that should have been there in the first place, said Adam Sohn, product manager for Microsoft's Passport team.

"It was something that slipped through the reviews," he said. Sohn added that the feature had been around since September 2002 and that Microsoft is currently investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.

The issue is perhaps the largest vulnerability known to have slipped through Microsoft's security reviews since the company began its Trustworthy Computing Initiative aimed at, among other things, reducing software vulnerabilities.

Microsoft has touted Passport as a technological centrepiece in its Web services future. Passport accounts are central repositories for a person's online data, including personal information such as birthdays, credit card numbers and shipping addresses. The accounts are pitched as a single key for a customer's accounts, allowing for easier purchasing of items online. Microsoft estimates that there are 200 million active Passport accounts.

The security issue, apparently discovered by a Pakistani security consultant and student, became public knowledge late on Wednesday night after the student sent details to the Full-Disclosure security mailing list.

"It is so simple that it is funny," wrote the student, who used the name Muhammad Faisal Rauf Danka. He claimed to have tried to contact Microsoft through several different email accounts, including security@microsoft.com.

Sohn said that account is the general email account for Microsoft's corporate security teams, not its product security. The email eventually was forwarded to the Microsoft Security Response Center, but not before the company had already heard of the issue from CNET News.com.

"You live and learn," Sohn said. "We will obviously take a hard look to make sure that if something is sent through the nonstandard channels, and it is real, we are all over it."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
54 out of 124 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Online business



Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

Senior Account Manager Information providers, Canary Wharf, London

High Touch Account Manager

Service Desk Analyst

Sentry Posts Blog

Toshiba touts Quantum Key Distribution

Toshiba research scientists have developed a method of distributing quantum keys more efficiently, the company has claimed in a statement: "[Quantum Key Distribution -- ] QKD --... More

Post a comment

Virtual Teams: Small Business Innovati...

Virtual Teams: Small Business Innovation Author: Eric Everson, Founder – MyMobiSafe.com As the founder of MyMobiSafe.com, I’ve found that because of our presence in the industry... More

Post a comment

Mobile Security and Innovation: An Ope...

Mobile Security and Innovation: An Open Case Author: Eric Everson, Founder MyMobiSafe.com The times are changing in the mobile industry as “big wireless” in the US Markets are calling... More

Post a comment