Security flaw discovered in Microsoft Passport

8 May 2003

A major security flaw that enables hackers to access customer accounts and information including credit card numbers has been discovered in Microsoft Passport, software touted by the company to be the technological centrepiece of its web services future.

Microsoft responded quickly to prevent hackers from exploiting the discovered flaw, posting an advisory this morning and shutting off the vulnerable feature.

The flaw allowed for a single web address to be used to request a password reset from the Passport servers. The URL contains the email address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a web browser, an attacker could cause the Passport servers to return a link that allows an account’s password to be reset. By following the link returned in the message, a hacker can change the password for the victim’s account and make free with their credit card details.

The issue is understood to have been discovered by a Pakistani security expert who found the issue after a friend’s account had been hacked.

The ease of the attack and the high value of the data frequently stored in Passport accounts are understood to make the vulnerability critical.

By John Kennedy