Passport problems could cost Microsoft

On Thursday, the software giant was scrambling to determine the impact of a flaw in the password reset feature of its Passport identity service. The vulnerability, first reported by CNET News.com, could have allowed attackers armed only with a Passport user's e-mail address to access information such as the user's name, address and credit card number.

For a company that has publicly made security a priority, the Passport problem was a serious setback. But the damage to the company could run to more than just bad public relations.

Last August, Microsoft signed a consent decree promising the Federal Trade Commission that it would not make false statements about the security and privacy protections in its Passport service and that it would improve those protections. While the FTC doesn't comment on potential investigations, the agency does look into questions regarding a company's compliance with agreements.

"Under our order, they need to take reasonable and appropriate steps and safeguards," said Jessica Rich, assistant director for the financial practices division of the FTC. "Obviously, there is not a standard that says if something went wrong, they are in violation of the order. But we will assess whether the steps that were taken were reasonable."

The potential investigation--which could lead to hefty fines at a rate of $11,000 per violation--is the latest problem to hit Microsoft's beleaguered Passport service. A flaw found 18 months ago could have also allowed attackers to gain access to the identity information stored in some of accounts. That flaw and other issues led to the August 2002 consent decree with the FTC.

The question now is whether Microsoft may have violated that decree when it changed the Passport system in September and added the vulnerable password reset feature. Provisions in the agreement call for the company to pursue the "design and implementation of reasonable safeguards to control the risks" to a customer's information.

"Security is never absolute, so the question is whether they are using reasonable measures," said Chris Hoofnagle, deputy counsel with the Washington-based Electronic Privacy Information Center. "The result certainly isn't reasonable, but that doesn't mean the company has been negligent. But in a situation like this, the result speaks for itself."

Microsoft would not comment whether it was discussing the issue with the FTC.

A violation could tarnish Microsoft's vision of its role in the Web-enabled future. The software giant has touted Passport as a technological centerpiece in Web services. Passport accounts are central repositories for a person's online data and can include personal information such as birthdays and credit card numbers. They can also act as a single key to access many online accounts.

Microsoft uses Passport authentication for its Hotmail e-mail service and its MSN Messenger instant messaging service. Other e-commerce services also rely on Passport--it's used in transactions in online games and in purchases of Microsoft Reader e-books, for example. Several online retailers, such as eBay, Canon, Expedia and Starbucks, also use Passport authentication. Microsoft estimates there are 200 million active Passport accounts.

The latest flaw allowed a single Web address--or URL--to be used to request a password reset form from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser, an attacker could have caused the Passport servers to return a link that allowed the password to be reset, thus giving the attacker access to the account.

Microsoft quickly moved to stop online vandals from exploiting the glitch. A security advisory was posted just before 8 p.m. PDT on Wednesday, and by 11:30 that night the company had essentially turned off the feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.

On Wednesday, Microsoft disabled suspicious accounts, forcing some Passport subscribers to contact customer support directly for their reactivation.

"Those people will have to get the account reactivated, and that will let us make sure the right people are there and the right people have access to the accounts," said Adam Sohn, product manager for Microsoft's Passport group.

At least one Passport user who had confirmed the security vulnerability said Thursday that his account was no longer accessible. "I'm locked out of MSN and Hotmail right now," he said.

Some reports have indicated that if the FTC tries to levy fines on Microsoft, the total penalty could be as high as $2.2 trillion if all accounts are tallied as violations. However, the number of people that have been locked out of their accounts may be a better basis for determining fines.

Microsoft's Sohn said that the company should have caught the issue in its new development cycles, which have been revamped under the Trustworthy Computing initiative aimed at, among other things, reducing software vulnerabilities.

"Of course we should have caught it; we should catch every (issue)," he said. "That's what you are working toward. We are always looking. There is not a beginning or end to this kind of effort."