Passport security takes another holiday

Microsoft has had to admit that for the second time in six weeks, a major security flaw has been discovered in Passport -- the single sign-on repository designed to keep all its users' personal details and credit card numbers in a safe place.

The more recent glitch, fixed by Microsoft on Monday, could have allowed attackers to gain access to user accounts that were opened more than four years ago, according to several industry reports. The flaw, publicised on a security mailing list, made it possible for an attacker who knew an account name and the account holder's general geographic location to discover the account's password. Microsoft was not aware of accounts having been compromised, reports said.

The flaw is similar to one reported in May by Pakistan MBA student Muhammad Faisal Rauf Danka, who discovered that the Passport password recovery mechanism -- which is used by users who have forgotten their passwords -- could allow an attacker to gain full access to any users' account. According to Danka, he had tried to warn Microsoft about the problem for months, but the software giant did not respond to his emails.

Microsoft has long claimed that Passport is central to its future plans, but an alarming number of security vulnerabilities have been discovered.

Last August, Microsoft promised the Federal Trade Commission that it would improve the security of Passport and refrain from making false statements about privacy and protection. The FTC could hit Microsoft with a fine of $11,000 per violation, which would amounts to trillions of dollars if the millions of Passport users are taken into account.

Let the editors know what you think in the Mailroom.