Microsoft Patches .NET Passport Hole

Microsoft on Thursday plugged a security hole in its all-encompassing .NET Passport service after an attack scenario was made public, showing how user’s passwords could be stolen.

The security vulnerability, which was posted to the Full-Disclosure e-mail list, also put personal information of millions of Hotmail user at the mercy of attackers.

The flaw, which has since been fixed, would allow an attacker to use a Web-based scenario to change any Passport user’s password to an arbitrary value. Once the password is reset, the attacker would get complete access to the hacked account.

The glitch is yet another stumble for Microsoft’s efforts to position Passport as a one-stop-shop where personal information is stored and used for online activity such as shopping and accessing content. Microsoft has spent heavily on tightening up security in recent years, but the problem could end up costing it more.

The Federal Trade Commission (FTC), which has an order against Microsoft after a settlement over lapsed Passport security, declined comment on the specifics of this latest vulnerability.

Assistant director for financial practices at the FTC, Jessica Rich, said the agency “routinely monitors compliance with our orders,” noting that fines ranging up to $11,000 per violation can be levied for non-compliance.

The prior settlement between the FTC and Microsoft last year over Passport security issues led to a pledge from the software giant to implement “reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation,” according to a report from the Associated Press.

Microsoft aknowledged to the AP that the hole affected 200 million accounts. If each vulnerable account were to constitute a separate violation of last year’s pledge, the potential fine against Microsoft could top out at $2.2 trillion.

When asked if the FTC was investigating the latest Passport security issue, Rich said, “We have an order against Microsoft but all our investigations are non-public. In all cases, if we find non-compliance, we can levy fines.”

According to the Full-Disclosure post, an attacker could simply cut and paste a Web address containing the e-mail address of the .NET Passport user’s account as well as an e-mail address to which a password-reset form could be mailed. Once that information was entered, the system was susceptible because Microsoft would then send a URL to the e-mail provided (by the attacker) to allow a new password to be entered.

Microsoft .NET Passport is the company’s single-ID application that powers e-commerce, e-mail and other Internet applications. The security hole was particularly serious because of the e-commerce capabilities it offers to millions of users around the world.

Because it stores personal information and credit card numbers in users’ Passport accounts, the flaw could have been used for identity theft. It is not yet clear if any user information was compromised. Most alarming was a note that accompanied the posting of the attack scenario that Microsoft had ignored several attempts at notification.

The Passport service, which drew the ire of privacy advocates, was modified in January this year because of concerns it does not adequately protect data privacy.