The Passport service allows a user to sign into any participating site by using only the user’s e-mail address and a single password. But on 8th May, Microsoft admitted that a serious security flaw had been discovered in the system.
The flaw could allow a novice hacker to hijack another's account, thereby accessing credit card details and more, by using a function that resets forgotten passwords.
To hack the system, all that was needed was to enter a URL into a web browser that contained the e-mail address of the account to be changed and the e-mail address to which the hacker wants the new password sent.
Only when the holder tried to log in using the old password or, more likely, when the credit card bills began to flood in, would the account holder discover what had happened.
Microsoft has confirmed that the flaw was quickly rectified and that, so far as it is aware, no accounts were tampered with.
However, while acknowledging the repair, Gartner warned:
“A serious security flaw shows that Microsoft Passport identities could be easily compromised. Financial institutions and other enterprises should replace or augment Passport until at least November 2003.”
The hard-hitting report speculates that more vulnerabilities are likely to surface in the software. Consequently, Gartner says business users should abandon it until Microsoft can prove that proper security is in place.
Gartner also recommends that businesses contact customers who use Passport, advising these customers to follow Microsoft’s instructions with regard to the breach.