Security Flaw Threatened Microsoft Passport Personal Information

A flaw in Microsoft's password recovery let hackers change a customer's password to Microsoft's Passport online-identity service, but has been fixed, the company confirmed Thursday.

The flaw was posted late Wednesday to Full Disclosure, a security mailing list. It let attackers change the password of users' accounts for any account where the attacker knew the user name the customer was using to access Passport. Analysts say the attack appeared simple to perform and jeopardized customers' personal information, including credit-card information.

Passport accounts can used by Web surfers to log onto multiple Web sites using the Passport service as the single authentication to Web sites that choose to accept Passport logins as authentic. Microsoft also has touted Passport as an important part of its Web services future.

Adam Sohn, product manager for Microsoft Passport, says the company shut down user access to its Passport password-reset service shortly after it learned of the flaw. Microsoft fixed the problem within eight hours of its disclosure, he says.

That may be so, but Avivah Litan, VP for financial services at Gartner, says the incident doesn't bode well for Microsoft. Litan says while Microsoft's problems with security vulnerabilities may be widely known in the tech industry, average consumers will become wary of the company's software as they learn about security issues like this. "This is exactly what they didn't need at the wrong time," Litan says. "This is just going to escalate the issue and make their security issues more widely known to a wider audience."