Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft’s Passport site, Register.Passport.com, and including a user’s e-mail address – such as example@hotmail.com – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.



Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2003-05-22: