May 12, 2003, 10:34 AM — The disclosure Wednesday of a serious security vulnerability in the .NET Passport service underscored shortcomings with the development and management of the single sign-on technology and may undermine Microsoft Corp.'s efforts to win wider adoption of Passport among businesses and individuals, an industry analyst said.
The flaw came to the company's attention late Wednesday after details about it were posted to an online software vulnerability discussion list.
The vulnerability was in a function that enabled Passport users who had forgotten their password to change it using an e-mail message sent to an address associated with their Passport account. The flaw enabled an attacker to have the password update e-mail sent to an e-mail address of their choice, and required little more than knowledge of their victim's e-mail address to use.
Microsoft scrambled late Wednesday and Thursday to turn off the e-mail update feature and patch the problem, according to Adam Sohn, product manager of Passport at Microsoft. The password update feature was patched and the password e-mail service restored by early Thursday morning, with only a "handful" of .NET Passport customers affected, Sohn said.
However, with 200 million registered users and Passport Wallet features that hold sensitive financial information, the issue raises questions about the security of the entire Passport service, according John Pescatore, an analyst with Gartner Inc.
"This definitely raises the possibility that there are larger security issues (with Passport)," he said.
The fact that such a glaring security hole was discovered by someone outside of Microsoft, years after Passport's debut, does not bode well for the service, Pescatore said.
"We're talking about a back door to reset a password. From the security testing point of view, those things are a lot easier to find than buffer overflows," he said.
The password vulnerability discovered Wednesday may indicate Microsoft is not holding its services such as Passport and MSN TV up to the same scrutiny as its server and desktop products when it comes to security, Pescatore said.
But Sohn defended Passport's security, saying that Microsoft conducted security training and code reviews for Passport in a similar way that it did for Windows Server 2003 and other products, though not on the same scale.
"It's not a system that's rife (with errors). It's a hardened system. We feel we employ very high levels of scrutiny," he said.
Microsoft was making progress through its Trustworthy Computing initiative and, despite other publicized vulnerabilities in recent years, there is little evidence of customer information being compromised, Sohn said.