The software vendor says few accounts were jeopardized by the .Net Passport vulnerability.
A flaw in Microsoft's .Net Passport system may have made the identities behind some user accounts available to attackers who could have taken over the accounts or reset passwords. The flaw was disclosed in a message posted to the security Vulnerability Discussion mailing list last week and confirmed by a Microsoft official Tuesday.
The Web identity service, .Net Passport, is used by Microsoft and other companies to let customers use their E-mail addresses and passwords to gain access to a variety of online services.
The vulnerability, according to the poster who identified himself as Victor Manuel Alvarez Castro, was created by the way .Net Passport handled a process designed to assist users who have lost their passwords. Currently, Microsoft has a "secret question" safeguard to help validate someone who wants to reset a .Net Passport password. This feature has been in place since 1999, but users who established their accounts before then could have had their accounts hijacked, according to the advisory. If the attacker knew the victim's E-mail address and basic geographic location information, accounts would be at risk, the advisory stated.
Jeff Jones, senior director of trustworthy computing security at Microsoft, says the vulnerability was minor and only existed for a small set of Passport users who created their accounts before 1999. Though the exact number of at-risk accounts is not known, Jones says, "there were no known accounts affected by this vulnerability." Microsoft changed the password-reset process for those users, and, it says, strangers can no longer gain access to those accounts.
The vulnerability appears to be minor, says John Pescatore, research director at Gartner. The fact that an attacker would have to enter city, state, and ZIP code information to exploit the security hole would have prevented widespread automated identity theft, he says. "It would generally prevent automated attacks and at least require me to know two pieces of data about a target E-mail account," he says.
This is the second .Net Passport vulnerability to surface in as many months. In May, a vulnerability that also involved Passport's password reset feature was discovered (see Passport Not Winning The Trust Game).
The discovery does dent "what little remaining confidence anyone might have in these type of private identity systems," Pescatore says. Public confidence in identity services such as Microsoft's Passport or the Liberty Alliance is so weak, he says, that it will take a major backer such as the U.S. government, the credit-card industry, or a major telecom company to support the technology before such a service sees widespread adoption.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.