Want CNET to notify you of price drops and the latest stories?

Microsoft plugs second Passport hole

The software giant fixes a flaw in its Passport online identity system that could have allowed an attacker to take over old Hotmail accounts.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft fixed a security flaw in its Passport online identity system after the vulnerability was revealed by a Latin American hacker.

The flaw, which affects a small number of accounts created before August 1999, hasn't been used to compromise any data, said Jeff Jones, senior director of trustworthy computing for Microsoft.

"When we first heard about this, we tried to confirm the issue on eight or 10 accounts and couldn't," he said. "There is a very small subset of accounts that were created prior to four years ago that are affected."

Hotmail accounts that don't have a secret question set for password recovery were vulnerable to being taken over by an attacker. It's the second time in two months that a security issue has been found in Passport's password recover mechanism.

Jones said the company repaired the data error that led to the flaw and is monitoring the accounts that could be affected by the issue.

"They have done a search of all those accounts and have identified no malicious exploits," he said.

The flaw was briefly described in a posting by an independent security consultant who used the name "Victor Manuel Alvarez Castro" on the Insecure.org security mailing list.

"An account for which no secret password exists can be modified by other users by entering a new password," Castro wrote on June 27. "It's easily identifiable because the Secret Question field will be titled like 'notset.'" If you leave the "Secret Question" in blank and then set a new password for the account, you can effectively gain control of the account, he explained.

The flaw comes as a new California law goes into effect that would require companies to give notice to their customers when unencrypted personal information may have been compromised. In this case, Microsoft likely won't have to notify any users, because the company has evidence that accounts weren't tampered with.

Companies that do not comply with the California law open themselves up to civil lawsuits.