Another Passport Flaw Reported

A newly disclosed vulnerability could let attackers reset passwords and hijack older Microsoft .Net Passport accounts, according to a message on an online mailing list discussing software vulnerabilities.

.Net Passport is Microsoft's online identity management service. It enables customers to use a single e-mail address and account password to sign on to a variety of affiliated services and Web sites. Microsoft's free Hotmail e-mail service and a number of partner sites support .Net Passport.

New Vulnerability

The vulnerability is in code used to help users who have forgotten their account password.

Microsoft has implemented a Secret Question feature to validate the identity of a user who needs to reset an account password. But according to the security list discussion, attackers can manipulate this feature on .Net Passport accounts that were set up before Microsoft implemented the Secret Question function. The flaw was described in a message posted by Victor Manuel Alvarez Castro, who identifies himself as a security consultant.

Microsoft did not immediately respond to requests for comment.

Accounts created since the Secret Question feature was implemented require the account owner to establish a secret question to retrieve their password, so not all .Net Passport users are affected by the flaw.

It has been "a couple of years" since the Secret Password feature was implemented, Castro says.

Still Some Safeguards

To take advantage of the vulnerability, an attacker must know both the e-mail address and the home country of the account owner. In the case of U.S.-based accounts, an attacker also needs the state and the zip code of the account owner.

Those conditions make it more difficult to exploit the vulnerability, according to Rafael Nunez, a senior research scientist at Scientech de Venezuela in Caracas, Venezuela, who is known online as "[RaFa]."

However, given the estimated 200 million .Net Passport accounts and the length of time that services like Hotmail have been online, there may be a large number of accounts affected by the Secret Question vulnerability, Nunez said.

A miscreant who is familiar with the victim would find the vulnerability especially useful for launching targeted attacks, he said.

Once in control of the victim's .Net Passport account, an attacker could pose as that person online, using the victim's e-mail account or other services, such as Microsoft's MSN instant messenger, to perform "social engineering" attacks to collect other sensitive information, Nunez said.

Related Problems

This is the second vulnerability affecting .Net Passport in as many months, continuing to raise concerns about the security of the service. In May, Muhammad Faisal Rauf Danka, a security researcher in Pakistan, reported a flaw that involved Passport users who forget their passwords. This function let users change their passwords using an e-mail message sent to an address associated with their Passport account.

The flaw enabled an attacker to have the message containing the password update sent to an e-mail address of the attacker's choice, and required little more than knowledge of the victim's e-mail address to use.

In that instance, repeated e-mail messages from Danka to Hotmail support went unanswered, prompting him to disclose the problem publicly.

Similar confusion about the correct procedure for reporting vulnerabilities may be at play in the latest revelation as well, which was not first disclosed to Microsoft, Nunez says. He says he learned of the vulnerability from a Spanish-language vulnerability-discussion list on Friday.

Nunez worked with Castro to direct him to the appropriate Microsoft security group, but Castro released the information online instead, Nunez says.

Microsoft has been under pressure to improve its security and reporting procedures. Last summer, the Federal Trade Commission ordered Microsoft to acknowledge and address vulnerabilities, and submit to independent evaluation every 2 years for the next 20 years.