Passport security takes another holiday

Summary:The second flaw in as many months has been discovered in Microsoft Passport, the software company's repository for personal information and credit card details

Microsoft has had to admit that for the second time in six weeks, a major security flaw has been discovered in Passport -- the single sign-on repository designed to keep all its users' personal details and credit card numbers in a safe place.

The more recent glitch, fixed by Microsoft on Monday, could have allowed attackers to gain access to user accounts that were opened more than four years ago, according to several industry reports. The flaw, publicised on a security mailing list, made it possible for an attacker who knew an account name and the account holder's general geographic location to discover the account's password. Microsoft was not aware of accounts having been compromised, reports said.

The flaw is similar to one reported in May by Pakistan MBA student Muhammad Faisal Rauf Danka, who discovered that the Passport password recovery mechanism -- which is used by users who have forgotten their passwords -- could allow an attacker to gain full access to any users' account. According to Danka, he had tried to warn Microsoft about the problem for months, but the software giant did not respond to his emails.

Microsoft has long claimed that Passport is central to its future plans, but an alarming number of security vulnerabilities have been discovered.

Last August, Microsoft promised the Federal Trade Commission that it would improve the security of Passport and refrain from making false statements about privacy and protection. The FTC could hit Microsoft with a fine of $11,000 per violation, which would amounts to trillions of dollars if the millions of Passport users are taken into account.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Topics: Tech Industry

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.