Microsoft admits Passport identity service was vulnerable

May. 08, 2003

http://www.siliconvalley.com/mld/siliconvalley/5816546.htm

WASHINGTON (AP) - A computer researcher in Pakistan discovered how to breach Microsoft Corp.'s security procedures for its popular Internet Passport service, designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases.

Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem early Thursday, after details were published on the Internet. Product Manager Adam Sohn said the company was unaware of hackers actually hijacking anyone's Passport account, but several experts said they successfully tested the procedure overnight.

In theory, Microsoft could face a staggering fine by U.S. regulators of up to $2.2 trillion. Under a settlement with the Federal Trade Commission last year over lapsed Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation.

The FTC said it was investigating this latest lapse. The agency's assistant director for financial practices, Jessica Rich, said Thursday that each vulnerable account could constitute a separate violation -- raising the maximum fine that could be assessed against Microsoft to $2.2 trillion.

``If we were to find that they didn't take reasonable safeguards to protect the information, that could be an order violation,'' Rich said.

The researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase ``emailpwdreset,'' he could seize any person's Passport account and change the password associated with it.

Danka, who described himself as a private security consultant, said he discovered the flaw after Passport accounts belonging to him and a friend both were hijacked repeatedly. He made certain no one had hacked his own computer, then checked the security for the Microsoft Web site that controlled Passport accounts.

Danka said he discovered the vulnerability about four minutes after he began searching in earnest.

``It was so simple to do it. It shouldn't have been so simple,'' Danka told The Associated Press in a telephone interview from Karachi. ``Anyone could have done this.''

Sohn acknowledged Microsoft should have been rejecting such transmissions from anywhere outside the company's own network. Microsoft shut down the affected Web address late Wednesday night, more than one hour after details were published on the Internet. Those filters were permanently set in place early Thursday, Sohn said.

``We didn't validate the input,'' Sohn said. ``We allowed somebody external to do something only the system itself should be doing. Somebody plumbed around ... and figured out they could do this.''

Services such as Passport promise consumers a single, convenient method for identifying themselves across different Web sites, encouraging convenient purchases online of movies, music, travel and banking services.

Passport, which is closely tied to Microsoft's flagship Windows XP software, is integral to its most important upcoming technology services. Dozens of retail Web sites use it already, and Passport controls access for Windows users to the free Hotmail service and instant-messaging accounts.

Using Passport, consumers could entrust Microsoft or other organizations to centrally hold their personal information -- such as credit card numbers or medical records -- and make it available whenever needed.

The FTC last year determined that Microsoft made deceptive claims and misrepresented the security surrounding the design and use of Passport. The FTC found that Microsoft exaggerated promises about its safety.

``The FTC needs to investigate and aggressively enforce the settlement,'' said David Sobel, a lawyer for the Washington-based Electronic Privacy Information Center. ``It's an important test of the government's ability to ensure real security in the handling of personal information. There needs to be consequences for security flaws.''

Sobel's privacy group was among those that had made formal complaints about Passport, which led to the FTC settlement.

``If the passport office of any nation in the world had a security record like Microsoft's, no immigration officer would accept their passports,'' said Jason Catlett, head of Junkbusters Corp., a New Jersey-based privacy organization that also had complained to the FTC.

main page ATTRITION feedback