News
News
7/1/2003
05:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Confirms, Fixes Passport Flaw

The software vendor says few accounts were jeopardized by the .Net Passport vulnerability.

A flaw in Microsoft's .Net Passport system may have made the identities behind some user accounts available to attackers who could have taken over the accounts or reset passwords. The flaw was disclosed in a message posted to the security Vulnerability Discussion mailing list last week and confirmed by a Microsoft official Tuesday.

The Web identity service, .Net Passport, is used by Microsoft and other companies to let customers use their E-mail addresses and passwords to gain access to a variety of online services.

The vulnerability, according to the poster who identified himself as Victor Manuel Alvarez Castro, was created by the way .Net Passport handled a process designed to assist users who have lost their passwords. Currently, Microsoft has a "secret question" safeguard to help validate someone who wants to reset a .Net Passport password. This feature has been in place since 1999, but users who established their accounts before then could have had their accounts hijacked, according to the advisory. If the attacker knew the victim's E-mail address and basic geographic location information, accounts would be at risk, the advisory stated.

Jeff Jones, senior director of trustworthy computing security at Microsoft, says the vulnerability was minor and only existed for a small set of Passport users who created their accounts before 1999. Though the exact number of at-risk accounts is not known, Jones says, "there were no known accounts affected by this vulnerability." Microsoft changed the password-reset process for those users, and, it says, strangers can no longer gain access to those accounts.

The vulnerability appears to be minor, says John Pescatore, research director at Gartner. The fact that an attacker would have to enter city, state, and ZIP code information to exploit the security hole would have prevented widespread automated identity theft, he says. "It would generally prevent automated attacks and at least require me to know two pieces of data about a target E-mail account," he says.

This is the second .Net Passport vulnerability to surface in as many months. In May, a vulnerability that also involved Passport's password reset feature was discovered (see Passport Not Winning The Trust Game).

The discovery does dent "what little remaining confidence anyone might have in these type of private identity systems," Pescatore says. Public confidence in identity services such as Microsoft's Passport or the Liberty Alliance is so weak, he says, that it will take a major backer such as the U.S. government, the credit-card industry, or a major telecom company to support the technology before such a service sees widespread adoption.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.