Millions of .Net Passport Accounts Put at Risk

A flaw allowed attackers to reset the password to any account, and thereby access users' personal information.

Millions of .Net Passport accounts were threatened by a flaw in the log-in services coding that allowed attackers to reset the password to any account, and thereby access users personal information.

The problem enabled an attacker to change the password on any account for which he knew the user name, simply by entering a URL into a browser. News of the flaw was published on the Full Disclosure security mailing list late Wednesday night. Microsoft Corp., which owns the Passport service, quickly disabled the mechanism that allowed the unauthorized password changes.

The Passport service, which Microsoft has long promoted as a simple, secure single sign-on service, also houses a good deal of users personal information. Credit card numbers and other data are stored in users Passport accounts. The same system controls the log-in mechanism for Microsofts Hotmail service.

To exploit this vulnerability, an attacker could simply cut and paste a URL containing the Passport account holders e-mail address as well as the address to which hed like the password-reset request sent. This results in the Passport servers sending an e-mail to the attacker-specified address that contains a link which allows the attacker to reset the accounts password.

Once this is done, the attacker has full access to the users account, including whatever e-mail accounts are associated with it.

The vulnerability was apparently discovered by a Pakistani man, who posted his findings on the Full Disclosure list. Several other list members quickly posted messages confirming the nature and scope of the problem. But within a few hours of the original posting, Microsoft, based in Redmond, Wash., had addressed the issue.

Microsoft officials say they were forced to temporarily block all access to the mechanism that allows users to reset their passwords via e-mail. That has since been restored for the most part, and should be completely back online later Thursday morning.

The company said it has not seen any spikes in activity that would indicate the vulnerability is being exploited on a large scale. "But were going to be very aggressive in making sure that customers werent affected by this," said Adam Sohn, product manager for Passport.