Passport security takes another holiday

The second flaw in as many months has been discovered in Microsoft Passport, the software company's repository for personal information and credit card details
Written by Munir Kotadia, Contributor

Microsoft has had to admit that for the second time in six weeks, a major security flaw has been discovered in Passport -- the single sign-on repository designed to keep all its users' personal details and credit card numbers in a safe place.

The more recent glitch, fixed by Microsoft on Monday, could have allowed attackers to gain access to user accounts that were opened more than four years ago, according to several industry reports. The flaw, publicised on a security mailing list, made it possible for an attacker who knew an account name and the account holder's general geographic location to discover the account's password. Microsoft was not aware of accounts having been compromised, reports said.

The flaw is similar to one reported in May by Pakistan MBA student Muhammad Faisal Rauf Danka, who discovered that the Passport password recovery mechanism -- which is used by users who have forgotten their passwords -- could allow an attacker to gain full access to any users' account. According to Danka, he had tried to warn Microsoft about the problem for months, but the software giant did not respond to his emails.

Microsoft has long claimed that Passport is central to its future plans, but an alarming number of security vulnerabilities have been discovered.

Last August, Microsoft promised the Federal Trade Commission that it would improve the security of Passport and refrain from making false statements about privacy and protection. The FTC could hit Microsoft with a fine of $11,000 per violation, which would amounts to trillions of dollars if the millions of Passport users are taken into account.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards