NEWS A flaw that allowed hackers entry into some Passport accounts has been corrected, Microsoft says Microsoft has fixed a security flaw in its Passport online-identity system after the vulnerability was revealed by a Latin American hacker. The flaw, which affects a small number of accounts created before August 1999, hasn't been used to compromise any data, said Jeff Jones, senior director of trustworthy computing for Microsoft. "When we first heard about this, we tried to confirm the issue on eight or 10 accounts and couldn't," he said. "There is a very small subset of accounts that were created prior to four years ago that are affected." Hotmail accounts that don't have a secret question set for password recovery were vulnerable to being taken over by an attacker. It's the second time in two months that a security issue has been found in Passport's password recover mechanism. Jones said the company repaired the data error that led to the flaw and is monitoring the accounts that could be affected by the issue. "They have done a search of all those accounts and have identified no malicious exploits," he said. The flaw was briefly described in a posting by an independent security consultant who used the name "Victor Manuel Alvarez Castro" on the Insecure.org security mailing list. "An account for which no secret password exists can be modified by other users by entering a new password," Castro wrote on 27 June. "It's easily identifiable because the Secret Question field will be titled like 'notset.'" If you leave the "Secret Question" in blank and then set a new password for the account, you can effectively gain control of the account, he explained. The flaw comes as a new California law goes into effect that would require companies to give notice to their customers when unencrypted personal information may have been compromised. In this case, Microsoft probably won't have to notify any users, because the company has evidence that accounts weren't tampered with. Companies that do not comply with the California law open themselves up to civil lawsuits.
Microsoft plugs Passport hole
Another flaw fixed…
Post your comment
In order to post a comment you need to be registered and logged in.
You can also log in with Facebook. Log in or create your silicon.com account below
Latest Software stories
Get silicon.com's daily newsletter
-
Enter your email to register
Featured white papers
-
Defining your data demands in simple steps
Businesses have seen a deluge of data, with more devices, more platforms and more access -- and, of course, more ways...
-
Systems engineering: Best practice for development success
Systems engineering isn't just a technical activity in the product lifecycle—it determines the commercial viability of...
-
The virtual presenter's handbook
Web seminars -- or webinars -- are online seminars or presentations used to engage remote audiences with any content...
Popular Software stories
Keep in touch with silicon.com
-
Connect with silicon.com on Facebook
Discuss the news of the day with the silicon.com team
-
Follow silicon.com on Twitter
Get regular updates from the silicon.com editors
-
Join the silicon.com LinkedIn networking group
Network with your peers and share expertise
Latest jobs
-
Project Manager
Black Rock Studio [A division of Disney Interactive Media Group] is currently recruiting for a Project Manager to...
-
Senior Marketing Executive - Poole - £30,000
I am representing a market leading company based in the Bournemouth / Poole area that are urgently looking for...
-
SAP Senior PC Product Costing Consultant - FICO (FI/CO) - End User - Up to £85,000
SAP Senior PC Product Costing Consultant - FICO (FI/CO) - End User - Up to £85,000SAP Senior PC Product...
silicon.com newsletters
-
Stay up to date with silicon.com newsletters
Keep up with the latest news and analysis from silicon.com with our free email newsletters
