News
News
7/1/2003
05:12 PM
50%
50%

Microsoft Confirms, Fixes Passport Flaw

The software vendor says few accounts were jeopardized by the .Net Passport vulnerability.

A flaw in Microsoft's .Net Passport system may have made the identities behind some user accounts available to attackers who could have taken over the accounts or reset passwords. The flaw was disclosed in a message posted to the security Vulnerability Discussion mailing list last week and confirmed by a Microsoft official Tuesday.

The Web identity service, .Net Passport, is used by Microsoft and other companies to let customers use their E-mail addresses and passwords to gain access to a variety of online services.

The vulnerability, according to the poster who identified himself as Victor Manuel Alvarez Castro, was created by the way .Net Passport handled a process designed to assist users who have lost their passwords. Currently, Microsoft has a "secret question" safeguard to help validate someone who wants to reset a .Net Passport password. This feature has been in place since 1999, but users who established their accounts before then could have had their accounts hijacked, according to the advisory. If the attacker knew the victim's E-mail address and basic geographic location information, accounts would be at risk, the advisory stated.

Jeff Jones, senior director of trustworthy computing security at Microsoft, says the vulnerability was minor and only existed for a small set of Passport users who created their accounts before 1999. Though the exact number of at-risk accounts is not known, Jones says, "there were no known accounts affected by this vulnerability." Microsoft changed the password-reset process for those users, and, it says, strangers can no longer gain access to those accounts.

The vulnerability appears to be minor, says John Pescatore, research director at Gartner. The fact that an attacker would have to enter city, state, and ZIP code information to exploit the security hole would have prevented widespread automated identity theft, he says. "It would generally prevent automated attacks and at least require me to know two pieces of data about a target E-mail account," he says.

This is the second .Net Passport vulnerability to surface in as many months. In May, a vulnerability that also involved Passport's password reset feature was discovered (see Passport Not Winning The Trust Game).

The discovery does dent "what little remaining confidence anyone might have in these type of private identity systems," Pescatore says. Public confidence in identity services such as Microsoft's Passport or the Liberty Alliance is so weak, he says, that it will take a major backer such as the U.S. government, the credit-card industry, or a major telecom company to support the technology before such a service sees widespread adoption.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 Digital Issue, April 2015
The 27th annual ranking of the leading US users of business technology
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of April 19, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.