Passport's Security Questioned

The recent disclosure of a serious security flaw in Microsoft's Passport service underscores the shortcomings of developing and managing the single sign-on technology, and may undermine Microsoft's efforts to push Passport's adoption, an industry analyst says.

The flaw came to Microsoft's attention late Wednesday after details about it were posted to an online software vulnerability discussion list.

The vulnerability is in a function that enables Passport users who forget their password to change it through an automated system that sends an e-mail message to an address associated with their Passport account. The flaw enables an attacker to reroute the password reminder to an e-mail address of their choice, and requires little more than knowing their victim's e-mail address.

Short-Term Fix

Microsoft scrambled late Wednesday and Thursday to turn off the e-mail update feature and patch the problem, according to Adam Sohn, product manager of Passport at Microsoft. The password update feature was patched and the password e-mail service restored by early Thursday morning, with only a "handful" of .Net Passport customers affected, Sohn said.

But Microsoft claims Passport has 200 million registered users, and many of the Passport Wallet features contain sensitive financial information. Consequently, the incident is raising questions about the security of the entire Passport service, says John Pescatore, a Gartner analyst.

"This definitely raises the possibility that there are larger security issues (with Passport)," he said.

It also could result in a fine, if the Federal Trade Commission decides Microsoft violated an agreement to implement stricter security in Passport.

That someone outside Microsoft could discover such a glaring security hole, years after Passport's debut, does not bode well for the service, Pescatore says.

"We're talking about a back door to reset a password. From the security testing point of view, those things are a lot easier to find than buffer overflows," he said.

The password vulnerability discovered Wednesday may indicate Microsoft is not holding its services such as Passport and MSN TV to the same scrutiny as its server and desktop products when it comes to security, Pescatore said.

Investigation Promised

Sohn defends Passport's security. Microsoft conducts security training and code reviews for Passport in a similar way as for Windows Server 2003 and other products, though not on the same scale.

"It's not a system that's rife (with errors)," Sohn says. "It's a hardened system. We feel we employ very high levels of scrutiny."

Microsoft has improved security of its products through its Trustworthy Computing initiative, Sohn says. Despite this and other publicized vulnerabilities, he says there is little evidence of customer information being compromised.

It is too early in the investigation to say whether Microsoft's security testing tools and procedures are to blame, Sohn notes. Microsoft will review the Passport code review process and test tools to figure out how the security hole was left open, he says.

"We want to go out and figure out in a granular way how these got through," he adds.

Microsoft's bug reporting system for Passport is also under scrutiny, Sohn says.

Repeated efforts to contact Microsoft regarding the password problem allegedly went unanswered, according to a post on the Full-Disclosure public mailing list by Muhammad Faisal Rauf Danka, who first reported the issue.

Microsoft has neither confirmed nor denied the charge. But Sohn acknowledges it is possible Danka's e-mail went unnoticed by Microsoft.

Circuitous Report

Systems to process support requests and other problems reported by Passport's millions of users rely on "a lot of automation and natural language processing," Sohn says.

"It's possible that there is some mail sitting there or that the system didn't know what to do with his piece of mail," Sohn says.

Ironically, Microsoft's Security Response Center received Danka's message after it was forwarded by the company's campus security, which manages the physical security of Microsoft buildings, according to Sohn. But by then, Danka's message was already on the Internet, he adds.

Microsoft will likely revamp its forms and procedures to submit Passport concerns, to try to ensure critical items to to its Security Response Center, Sohn says.

Microsoft will also try to improve its automation technology and ferret out high priority issues from the millions of low-level account and authentication queries submitted each day, he says.

Regardless of any new procedures, exposure of the newest vulnerability will likely further erode Passport's already shaky standing among businesses, Pescatore says.

"Businesses are worried about risks and this makes them even more worried," he says. "If you see one termite, chances are there are a lot more under the surface."