Microsoft Faces Fine for Security Flaw

Microsoft faces the threat of a hefty fine after scrambling to shut down a flaw in its Passport service that could reveal users' critical personal information. The flaw, which was reported to the company on Wednesday, is located in the service's password recovery system. It allowed intruders to change an account password if they knew the user name. Adam Sohn, a product manager with the Passport team, said the flaw has been shut down and that Microsoft is working quickly to fix the matter.

Still Checking

Sohn said a preliminary investigation suggested that the vulnerability was not seriously exploited. However, such a vulnerability could pose a huge security threat to Passport users who store critical personal information with the service. Microsoft encourages Passport users to enter credit card information, addresses, and other data with the service in order to access various online sites and services without having to reenter their personal information.

The vulnerability was in the function that allowed users to request a forgotten Passport password by e-mail. By tricking the system into initiating an e-mail password reset process, a malicious attacker could then request that the password be sent to a different e-mail address, Sohn said.

Microsoft has turned off the recovery feature while it fixes the problem, and users requesting a forgotten password are being instructed to use other means, such as going through the customer service support page.

Broken Promise?

But under an agreement signed with the U.S. Federal Trade Commission last August, Microsoft promised it would not give false information about security and would improve its privacy protection. The company could face hefty fines--up to $11,000 per violation--if its reset password feature is found to decrease privacy protection.

The company was unavailable for comment on whether it is in discussions with the FTC over the incident.

Microsoft's ambitious Passport initiative has come under fire almost since its inception. Users must submit different levels of personal information in order to establish a Passport account and access various Microsoft services, from Hotmail e-mail to online shopping.