Major Microsoft security flaw exposed

A serious security flaw in Microsoft's Passport service put users' accounts, including their personal information and credit card numbers, at risk of being hijacked.

The flaw, in Passport's password recovery mechanism, allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure.

The simplicity of the attack and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical.

In an email to CNET News.com the person who posted the vulnerability said: "It is hardly an exploit or even vulnerability; it's just a flaw in their web-application logic."

"The flaw has been there since long time, I just discovered it recently," wrote the individual who identified himself as Muhammad Faisal Rauf Danka. He claimed to be a Pakistani security consultant and MBA candidate.

Microsoft has touted Passport as a technological centrepiece in the company's web services future. Passport accounts are central repositories for a user's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the user's online accounts.

Microsoft moved quickly to prevent online vandals from exploiting the issue. The advisory was posted just before 20:00(PDT), and by 23:30(PDT), the software giant had essentially turned off the vulnerable feature. "We have shut down all ability to reset passwords," said Sean Sundwall, spokesman for the company.

The flaw allowed a single web address - or URL - to be used to request a password reset from the Passport servers. The URL contains the email address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.

Danka claims to have found the issue after a friend's account had been hacked.

In his email he wrote: "Later, my friend gave the 'attacker' my passport address as a challenge, and mine was compromised as well." Not long after, he figured out how the attacker had compromised the accounts.

The security consultant also said that he had repeatedly sent email warnings to Microsoft's abuse and security addresses at Hotmail.com to no avail. However, he didn't send an email to Microsoft's standard security contact point, secure@microsoft.com.

Several security experts confirmed that the flaw could be exploited in the manner described by Danka.

Wayne Chang, a student at the University of Massachusetts at Amherst, said: "I tried it on my own account and I tried it on my friends' accounts, with full permission; it worked on all occasions. This is definitely a big security flaw."