Passport flaw leaves user info up for grabs
Microsoft Corp. has scrambled to shut down a flaw in its Passport service that could potentially reveal users' critical personal information, a company spokesman confirmed Thursday.
The flaw, which was reported to the company late Wednesday, was located in the service's password recovery system and would allow attackers to change an account password if they knew the user name.
Adam Sohn, a product manager with the Passport team, said Thursday that the flaw has been shut down and that the company is working to quickly fix the matter.
While Sohn said a preliminary investigation suggested that the vulnerability was not seriously exploited, it could potentially pose a large security threat to Passport users who store critical personal information such as credit card information with the service to access various online sites and services without having to retype information.
The vulnerability was in the function that allowed users to request a forgotten Passport password via e-mail. By tricking the system into initiating an e-mail password reset process, a malicious attacker could then request that the password be sent to a different e-mail address, Sohn said.
Microsoft has turned off this feature while it fixes the problem, and users requesting a forgotten password were instructed to use other means, such as going through the customer service support page.
Sohn said that the problem should be fixed "within hours" and that the company is actively investigating the matter.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.













