Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft’s Passport site, Register.Passport.com, and including a user’s e-mail address – such as example@hotmail.com – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8 Hacks: Tips & Tools for Unlocking the Power of Tablets and Desktops

Subscribe and get our monthly bonuses - free!

Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!



I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

In August 2002, Microsoft agreed to settle a complaint filed by the U.S. Federal Trade Commission (FTC) against Passport and its Wallet credit-card payment feature.

  • “Microsoft falsely represented,” according to the FTC action, “that it employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers’ personal information collected through its Passport and Passport Wallet services, including credit card numbers.”

One researcher who sounded the latest alarm bells, Qazi Ahmed of PakCERT (Pakistan Computer Emergency Response Team), said in a statement that other issues remain unsolved in Passport. “We were forced to release this information publicly,” Ahmed reported, “as these vulnerabilities are actively being exploited in the wild and are some of the most severe vulnerabilities ever found in Microsoft Hotmail/.Net/Passport.” He declined to reveal technical details of the other problems because, he said, Microsoft has no fix available yet.

My take? Don’t use Passport or enter any credit-card or financial information into it. Unfortunately, this may be difficult for some users. Microsoft requires a Passport account to access several of its services, including Hotmail and technical support for some consumer products. But I’d say you can have a Wallet full of credit cards or you can have a wallet full of credit cards. The choice is yours.

My thanks to reader James Merrill for his help on this topic. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.
= Paid content

All Windows Secrets articles posted on 2003-05-22: