Security Flaw Threatened Microsoft Passport Personal Information - InformationWeek
Software // Enterprise Applications
02:07 PM
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

Security Flaw Threatened Microsoft Passport Personal Information

The company says the flaw, which let hackers change a customer's password, has been fixed.

A flaw in Microsoft's password recovery let hackers change a customer's password to Microsoft's Passport online-identity service, but has been fixed, the company confirmed Thursday.

The flaw was posted late Wednesday to Full Disclosure, a security mailing list. It let attackers change the password of users' accounts for any account where the attacker knew the user name the customer was using to access Passport. Analysts say the attack appeared simple to perform and jeopardized customers' personal information, including credit-card information.

Passport accounts can used by Web surfers to log onto multiple Web sites using the Passport service as the single authentication to Web sites that choose to accept Passport logins as authentic. Microsoft also has touted Passport as an important part of its Web services future.

Adam Sohn, product manager for Microsoft Passport, says the company shut down user access to its Passport password-reset service shortly after it learned of the flaw. Microsoft fixed the problem within eight hours of its disclosure, he says.

That may be so, but Avivah Litan, VP for financial services at Gartner, says the incident doesn't bode well for Microsoft. Litan says while Microsoft's problems with security vulnerabilities may be widely known in the tech industry, average consumers will become wary of the company's software as they learn about security issues like this. "This is exactly what they didn't need at the wrong time," Litan says. "This is just going to escalate the issue and make their security issues more widely known to a wider audience."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll