Microsoft fixes Passport 'feature'
By Matt Whipp
Posted on 12 May 2003 at 12:22
Microsoft says it has fixed an `oversight` in its Passport system that allowed an attacker to redirect the response containing a link that would allow the password to be changed to any desired email address.
It suspended the feature while looking for a fix and on Friday claimed that Passport was back on its feet and secure.
Microsoft suggests a simple test to see if you have been affected: if you can sign in to your account, you're all right. If you can't you may be infected.
The gaping hole has proved a huge PR black hole for the company. Just at the time when Microsoft is preparing the first fruit of its Trustworthy Computing platform, it is lumbered with a security issue that, Muhammad Faisal Rauf Danka the person who discovered it, claims was already being exploited. He says he had contacted Microsoft several times previously about the issue (although not to Microsoft's standard security email address).
Not only will the hole cost Microsoft its reputation on security, it may also cost it real money. An agreement with the Federal Trade Commission last August forced Microsoft to undergo security audits every other year, to improve security and privacy controls and not to make false claims about the security of its Passport service. If this latest flaw, and Microsoft's actions, were found to contravene the terms of the agreement, the company could be looking at serious fines.
The final cheek-flushing element to this is that it should happen to Passport, Microsoft's jewel in its Web services crown.
The single sign-in service is aimed at getting everyone to lead much of their online life. From shopping to chatting, the service identifies users and hooks into a number of activities. Thus, each account can contain valuable information, from personal details to credit card numbers.
Microsoft reckons it has some 200 million active accounts, in use for hotmail, instant messenger, Microsoft Reader e-book services, as well as by participating online retailers.
See also:
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
