Software // Enterprise Applications
News
3/4/2003
02:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Flaw Threatened Microsoft Passport Personal Information

The company says the flaw, which let hackers change a customer's password, has been fixed.

A flaw in Microsoft's password recovery let hackers change a customer's password to Microsoft's Passport online-identity service, but has been fixed, the company confirmed Thursday.

The flaw was posted late Wednesday to Full Disclosure, a security mailing list. It let attackers change the password of users' accounts for any account where the attacker knew the user name the customer was using to access Passport. Analysts say the attack appeared simple to perform and jeopardized customers' personal information, including credit-card information.

Passport accounts can used by Web surfers to log onto multiple Web sites using the Passport service as the single authentication to Web sites that choose to accept Passport logins as authentic. Microsoft also has touted Passport as an important part of its Web services future.

Adam Sohn, product manager for Microsoft Passport, says the company shut down user access to its Passport password-reset service shortly after it learned of the flaw. Microsoft fixed the problem within eight hours of its disclosure, he says.

That may be so, but Avivah Litan, VP for financial services at Gartner, says the incident doesn't bode well for Microsoft. Litan says while Microsoft's problems with security vulnerabilities may be widely known in the tech industry, average consumers will become wary of the company's software as they learn about security issues like this. "This is exactly what they didn't need at the wrong time," Litan says. "This is just going to escalate the issue and make their security issues more widely known to a wider audience."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.