Millions of .Net Passport Accounts Put at Risk
A flaw allowed attackers to reset the password to any account, and thereby access users' personal information.Millions of .Net Passport accounts were threatened by a flaw in the log-in services coding that allowed attackers to reset the password to any account, and thereby access users personal information. The problem enabled an attacker to change the password on any account for which he knew the user name, simply by entering a URL into a browser. News of the flaw was published on the Full Disclosure security mailing list late Wednesday night. Microsoft Corp., which owns the Passport service, quickly disabled the mechanism that allowed the unauthorized password changes. The Passport service, which Microsoft has long promoted as a simple, secure single sign-on service, also houses a good deal of users personal information. Credit card numbers and other data are stored in users Passport accounts. The same system controls the log-in mechanism for Microsofts Hotmail service.
To exploit this vulnerability, an attacker could simply cut and paste a URL containing the Passport account holders e-mail address as well as the address to which hed like the password-reset request sent. This results in the Passport servers sending an e-mail to the attacker-specified address that contains a link which allows the attacker to reset the accounts password.