Microsoft Passport flaw revealed - Wallet insecure

Cyber-Fagins would be able to pick a pocket or two ...
Written by Pia Heikkila, Contributor

Cyber-Fagins would be able to pick a pocket or two ...

Further vulnerabilities in Microsoft's controversial Passport authentication system, which could leave personal and financial data open to abuse, have been revealed. The discovery was made by a US researcher named Marc Slemko, an open source software engineer, who claimed that by sending a Hotmail user a specially crafted email, a hacker could get access to the financial data contained in the user's Passport's Wallet service stored on Microsoft's servers. Slemko was reported to have taken 30 minutes to uncover the flaw. He said his theoretical attack took advantage of the cross-scripting vulnerabilities that appear when the communications between applications, such as an internet-based email site and a financial site are not secure. The flaw caused Microsoft to shut down the Wallet, the part of Passport which keeps track of customers' ecommerce data for two days. Richard Hamblen, .NET marketing manager, claimed Microsoft is already in process of improving the service. "We found some strange tweaks in the My Wallet part of Passport, which is currently being moved and totally re-architected anyway, and responded immediately. We can confirm that no data was compromised," he said.
Editorial standards