Microsoft fixes Passport flaw

NEWS Microsoft security and product teams worked overnight on Wednesday to fix a flaw in the password reset feature of the Passport identity service that threatened to compromise millions of accounts. By early Thursday morning US time, the company had replaced the service with a more secure version, one that should have been there in the first place, said Adam Sohn, product manager for Microsoft's Passport team. "It was something that slipped through the reviews," he said. Sohn added that the feature had been around since September 2002 and that Microsoft is currently investigating to what degree the flaw may have been exploited by online vandals to grab user accounts. The issue is perhaps the largest vulnerability known to have slipped through Microsoft's security reviews since the company began its Trustworthy Computing Initiative aimed at, among other things, reducing software vulnerabilities. Microsoft has touted Passport as a technological centrepiece in its web services future. Passport accounts are central repositories for a person's online data, including personal information such as birthdays, credit card numbers and shipping addresses. The accounts are pitched as a single key for a customer's accounts, allowing for easier purchasing of items online. Microsoft estimates that there are 200 million active Passport accounts. The security issue, apparently discovered by a Pakistani security consultant and student, became public knowledge late on Wednesday night after the student sent details to the Full-Disclosure security mailing list. "It is so simple that it is funny," wrote the student, who used the name Muhammad Faisal Rauf Danka. He claimed to have tried to contact Microsoft through several different email accounts, including security@microsoft.com. Sohn said that account is the general email account for Microsoft's corporate security teams, not its product security. The email eventually was forwarded to the Microsoft Security Response Center. "You live and learn," Sohn said. "We will obviously take a hard look to make sure that if something is sent through the nonstandard channels, and it is real, we are all over it." Robert Lemos writes for News.com