Microsoft Confirms, Fixes Passport Flaw - InformationWeek
05:12 PM

Microsoft Confirms, Fixes Passport Flaw

The software vendor says few accounts were jeopardized by the .Net Passport vulnerability.

A flaw in Microsoft's .Net Passport system may have made the identities behind some user accounts available to attackers who could have taken over the accounts or reset passwords. The flaw was disclosed in a message posted to the security Vulnerability Discussion mailing list last week and confirmed by a Microsoft official Tuesday.

The Web identity service, .Net Passport, is used by Microsoft and other companies to let customers use their E-mail addresses and passwords to gain access to a variety of online services.

The vulnerability, according to the poster who identified himself as Victor Manuel Alvarez Castro, was created by the way .Net Passport handled a process designed to assist users who have lost their passwords. Currently, Microsoft has a "secret question" safeguard to help validate someone who wants to reset a .Net Passport password. This feature has been in place since 1999, but users who established their accounts before then could have had their accounts hijacked, according to the advisory. If the attacker knew the victim's E-mail address and basic geographic location information, accounts would be at risk, the advisory stated.

Jeff Jones, senior director of trustworthy computing security at Microsoft, says the vulnerability was minor and only existed for a small set of Passport users who created their accounts before 1999. Though the exact number of at-risk accounts is not known, Jones says, "there were no known accounts affected by this vulnerability." Microsoft changed the password-reset process for those users, and, it says, strangers can no longer gain access to those accounts.

The vulnerability appears to be minor, says John Pescatore, research director at Gartner. The fact that an attacker would have to enter city, state, and ZIP code information to exploit the security hole would have prevented widespread automated identity theft, he says. "It would generally prevent automated attacks and at least require me to know two pieces of data about a target E-mail account," he says.

This is the second .Net Passport vulnerability to surface in as many months. In May, a vulnerability that also involved Passport's password reset feature was discovered (see Passport Not Winning The Trust Game).

The discovery does dent "what little remaining confidence anyone might have in these type of private identity systems," Pescatore says. Public confidence in identity services such as Microsoft's Passport or the Liberty Alliance is so weak, he says, that it will take a major backer such as the U.S. government, the credit-card industry, or a major telecom company to support the technology before such a service sees widespread adoption.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll