Microsoft promises to fix Passport flaw by end of day

Microsoft has promised that the flaw giving unauthorised users access to Hotmail Passport accounts after they have been left without the authorised user logging off, will be fixed by the end of the day.

The problem, discovered by security enthusiast Pete Krawczyk, means that Hotmail does not automatically log someone out of a Passport account once they have left the site -- in a cyber café for example -- if the browser's cookie settings are correctly configured.

Passport lets users access e-commerce sites from a Hotmail account and retains credit card numbers that could, potentially be used illegally.

Because Hotmail is particularly popular in cyber cafés , this represents a serious problem for Microsoft, which is still recovering from the embarrassment of the last Hotmail breach.

Stuart Anderson, marketing manager for Microsoft Passport, told ZDNet: "I have been assured that this will be fixed by the end of the day. That's the beauty of having a server-side program." Anderson was keen to spin the breach into a positive outcome, "When you drill down, considering all the things you have to do, it is a much smaller proportion of people who could be effected. I must also stress that it does not effect the Wallet section of Passport."

Take me to Hackers