By Brian Livingston
Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.
One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.
The password change could be accomplished by simply visiting Microsoft’s Passport site, Register.Passport.com, and including a user’s e-mail address – such as firstname.lastname@example.org – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.
I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.
Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.