Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft’s Passport site,, and including a user’s e-mail address – such as – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

In August 2002, Microsoft agreed to settle a complaint filed by the U.S. Federal Trade Commission (FTC) against Passport and its Wallet credit-card payment feature.

  • “Microsoft falsely represented,” according to the FTC action, “that it employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers’ personal information collected through its Passport and Passport Wallet services, including credit card numbers.”

One researcher who sounded the latest alarm bells, Qazi Ahmed of PakCERT (Pakistan Computer Emergency Response Team), said in a statement that other issues remain unsolved in Passport. “We were forced to release this information publicly,” Ahmed reported, “as these vulnerabilities are actively being exploited in the wild and are some of the most severe vulnerabilities ever found in Microsoft Hotmail/.Net/Passport.” He declined to reveal technical details of the other problems because, he said, Microsoft has no fix available yet.

My take? Don’t use Passport or enter any credit-card or financial information into it. Unfortunately, this may be difficult for some users. Microsoft requires a Passport account to access several of its services, including Hotmail and technical support for some consumer products. But I’d say you can have a Wallet full of credit cards or you can have a wallet full of credit cards. The choice is yours.

My thanks to reader James Merrill for his help on this topic. To send me more information about this, or to send me a tip on any other subject, visit
= Paid content

All Windows Secrets articles posted on 2003-05-22: