Microsoft PASSPORT flaw – 200 million users – 2 trillion dollar fine?

If you are one the two hundred million or so Microsoft PASSPORT users, you will be surprised to hear that the supposedly highly secure system designed to hold details like your credit card numbers and other sensitive information was relatively easy to hack up until a few days ago.

It may come as some small consolation to know that this latest security lapse from Microsoft could trigger a $2.2 trillion fine on the company courtesy of the US government. The issue is probably the largest vulnerability known to have slipped through Microsoft's security departments since they began their Trustworthy Computing Initiative which was aimed at, among other things, reducing software vulnerabilities.

A “flaw “in Microsoft's actual password recovery allowed intruders and hackers to change a customer's password to Microsoft's Passport online-identity service
Right now Microsoft has blocked the exploit, which by the way, means you had better not forget your password for a while.

What does the Passport system do? What is it meant for?

Passport is supposed to be a fully secure way of logging on to multiple web sites without having to go through an authentication process at every location. You would use it for, perhaps, purchasing items with a single click.

Passport accounts are central repositories for a person's personal online data, including information such as birthdays, credit card numbers and delivery addresses. The accounts are promoted as a single key for a customer's accounts, allowing for easier purchasing of items online. Microsoft estimates that there are at least 200 million active Passport accounts in use today.

Exactly when was this security breach discovered?

The Internet community was alerted last week when a notice was posted to the Full Disclosure web site security mailing list.

A Pakistani student, who also calls himself a “security consultant”, apparently discovered the security issue and made it public knowledge. He is said to have stated; "It is so simple that it is funny,” He claimed to have attempted to contact Microsoft through several different e-mail accounts, including an e-mail address security@microsoft.com.

A Microsoft spokesman said this account is the general e-mail account for Microsoft's corporate security teams, not its product security. The e-mail was eventually forwarded to the Microsoft Security Response Centre, but not before the company had already learned of the issue from a news organisation.

The same spokesman said "You live and learn," "We will obviously take a hard look to make sure that if something is sent through the non-standard channels, and it is real, we are all over it."

How did the researchers identify the Passport problem?

The flaw was apparently discovered in about four minutes after the security researcher who identified the flaw set to work on Passport. He was able to access Passport accounts with ease by simply typing "emailpwdreset" into an Internet address (URL) that has the e-mail address of a user account and the address where a security password reset message can be sent.

The intrusion was so incredibly simple that it seems highly unlikely that it has only just now been discovered. There have certainly been plenty of cases of Passport users who have claimed identity theft. To be kind, some would say that those complaining have been treated as though they were using insecure passwords, but it now seems obvious that may not have been the case.

What have Microsoft done about this situation?

As at the time writing Microsoft has shut down the whole reset password system to stop the exploit from being used. However questions really do need to be asked about how such a monumentally obvious security flaw got through the firms inspection process in the first place. It's not like it was just people's email at risk, it was their finances and security information as well.

Whilst Microsoft fixed the problem within eight hours of its disclosure, the incident doesn't bode well for them. Some would suggest Microsoft's problems with security vulnerabilities are widely known in the tech industry but not necessarily with average consumers. This will now very likely make those same consumers very wary of the company's software as they learn about security issues like this.

Is anybody policing the effects of these security breaches?

The American Federal Trade Commission last year demanded that Microsoft improve its Passport security or risk facing stiff fines of up to $11,000 per violation. Microsoft promised to work harder to protect consumer information and launched its Trustworthy Computing initiative to put regulators' minds at ease.

At this time the FTC is looking into the Passport breach and could hit Microsoft with a fine of $2.2 trillion to cover all 200 million violated users.

Whilst Microsoft may say, "You live and learn," the exploit was a really a stupefying gap. All an attacker really needed was a user name and they could have the reset password request sent to anywhere they liked. Can we afford to wait for secure systems or is password security one of those things we should learn to live without.

Arthur Hissey
Computer Research & Technology
www.crt.net.au