Microsoft shuts site--IDs exposed

Microsoft closes a site hosted by Softbank Services after discovering that it was revealing private information for 108,000 customers.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft has resurrected a software upgrade site hosted and maintained by Softbank Services. Microsoft had killed the site Friday after discovering that it was revealing private identification and contact information for 108,000 Microsoft customers.

The site lets users of Microsoft's Money financial management software upgrade to Money 99 from previous versions of the application. Microsoft had Softbank Services pull the site after learning of the security breach from CNET News.com (See related story).

Users trying to access the downed site first received an HTTP error page. Over the weekend, the site was changed to read: "We are sorry, but our site is temporarily out of service. If you would like to place an order for Money 99 or the Financial Suite, please call 1-800-598-2068. M-F 8 a.m.-10 p.m. ET."

Today Microsoft and Softbank Services restored the site with the security hole patched.

Microsoft on Thursday sent out a mass email inviting Money users to order the software upgrade, either online or through the toll-free line. The email included a unique reservation number nine digits long.

Once at the Softbank Services-hosted upgrade site, users could enter the nine-digit number to order the upgrade. If they altered one or more of its digits, however, they were likely to call up the account of another customer.

While the resulting Web page did not display users' personal information outright, the pages contained names, phone numbers, email addresses, and postal addresses in a series of hidden fields. Those hidden fields could be viewed easily in the document or page source.

News.com was notified of the problem Friday by Gregor Freund of San Francisco security software firm Slant.

"You could write a ten-line script and download all that information and use it for whatever purpose," Freund said. "These are very targeted addresses."

It is not clear whether other Microsoft customer databases hosted by Softbank Services--or Softbank Services' other clients--were similarly exposed.

Softbank Services today declined to comment on the matter.

Softbank Services is a subsidiary of Onex, a Toronto-based holding company that acquired the division from Softbank earlier this month. Softbank is a Japanese software, hardware, and publishing conglomerate.

A Microsoft spokesperson suggested that the privacy breach was probably an isolated incident. "We have used the service many, many times in many different ways for years, and this was the first time that this sort of thing has come to our attention," the spokesperson said.

Fewer than 50 people accessed the site before Microsoft pulled the insecure site Friday, the spokesperson said.

Softbank Services and Microsoft today secured the site by requiring users to supply their zip code in addition to their reservation number. That extra variable makes it prohibitively difficult to access others' accounts by random guessing.