Want CNET to notify you of price drops and the latest stories?

Microsoft fixes Passport flaw

The software giant works overnight to repair the password reset feature of its online identity service after a flaw was discovered that put millions of accounts at risk.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft security and product teams worked overnight to fix a flaw in the password reset feature of the Passport identity service that threatened to compromise millions of accounts.

By 8 a.m. PST Thursday, the company had replaced the service with a more secure version, one that should have been there in the first place, said Adam Sohn, product manager for Microsoft's Passport team.

"It was something that slipped through the reviews," he said. Sohn added that the feature had been around since September 2002 and that Microsoft is currently investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.

The issue, which was first reported by CNET News.com, is perhaps the largest vulnerability known to have slipped through Microsoft's security reviews since the company began its Trustworthy Computing Initiative aimed at, among other things, reducing software vulnerabilities.

Microsoft has touted Passport as a technological centerpiece in its Web services future. Passport accounts are central repositories for a person's online data, including personal information such as birthdays, credit card numbers and shipping addresses. The accounts are pitched as a single key for a customer's accounts, allowing for easier purchasing of items online. Microsoft estimates that there are 200 million active Passport accounts.

The security issue, apparently discovered by a Pakistani security consultant and student, became public knowledge late Wednesday night after the student sent details to the Full-Disclosure security mailing list.

"It is so simple that it is funny," wrote the student, who used the name Muhammad Faisal Rauf Danka. He claimed to have tried to contact Microsoft through several different e-mail accounts, including security@microsoft.com.

Sohn said that account is the general e-mail account for Microsoft's corporate security teams, not its product security. The e-mail eventually was forwarded to the Microsoft Security Response Center, but not before the company had already heard of the issue from CNET News.com.

"You live and learn," Sohn said. "We will obviously take a hard look to make sure that if something is sent through the nonstandard channels, and it is real, we are all over it."