Microsoft Confirms, Fixes Passport FlawMicrosoft Confirms, Fixes Passport Flaw

A flaw in Microsoft's .Net Passport system may have made the identities behind some user accounts available to attackers who could have taken over the accounts or reset passwords. The flaw was disclosed in a message posted to the security Vulnerability Discussion mailing list last week and confirmed by a Microsoft official Tuesday.

The Web identity service, .Net Passport, is used by Microsoft and other companies to let customers use their E-mail addresses and passwords to gain access to a variety of online services.

The vulnerability, according to the poster who identified himself as Victor Manuel Alvarez Castro, was created by the way .Net Passport handled a process designed to assist users who have lost their passwords. Currently, Microsoft has a "secret question" safeguard to help validate someone who wants to reset a .Net Passport password. This feature has been in place since 1999, but users who established their accounts before then could have had their accounts hijacked, according to the advisory. If the attacker knew the victim's E-mail address and basic geographic location information, accounts would be at risk, the advisory stated.

Jeff Jones, senior director of trustworthy computing security at Microsoft, says the vulnerability was minor and only existed for a small set of Passport users who created their accounts before 1999. Though the exact number of at-risk accounts is not known, Jones says, "there were no known accounts affected by this vulnerability." Microsoft changed the password-reset process for those users, and, it says, strangers can no longer gain access to those accounts.

The vulnerability appears to be minor, says John Pescatore, research director at Gartner. The fact that an attacker would have to enter city, state, and ZIP code information to exploit the security hole would have prevented widespread automated identity theft, he says. "It would generally prevent automated attacks and at least require me to know two pieces of data about a target E-mail account," he says.

This is the second .Net Passport vulnerability to surface in as many months. In May, a vulnerability that also involved Passport's password reset feature was discovered (see Passport Not Winning The Trust Game).

The discovery does dent "what little remaining confidence anyone might have in these type of private identity systems," Pescatore says. Public confidence in identity services such as Microsoft's Passport or the Liberty Alliance is so weak, he says, that it will take a major backer such as the U.S. government, the credit-card industry, or a major telecom company to support the technology before such a service sees widespread adoption.