BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Business
Front Page 
UK Politics 
Market Data 
Your Money 
Business Basics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Monday, 5 November, 2001, 17:43 GMT
New flaw puts Passport offline
Microsoft Passport
Passport: Microsoft's first strike in the fight to introduce .NET
Microsoft has had to take its ecommerce system, Passport, offline for 48 hours after a programmer in Seattle found a way to steal users' credit card numbers.

Microsoft insisted that no-one's information was compromised, and that it has now corrected the flaw.

And even the programmer concerned said that users of Microsoft's new Windows XP operating system, which is irrevocably integrated with Passport as a means of forcing it into the mainstream, would not have been affected.

But the move follows a string of incidents where either security in Passport - or the Hotmail free e-mail system to which it is tightly bound - has proved to be lax.

That has proved embarrassing for the software giant, since both are at the heart of its .NET project to extend its control of personal computing to the network.

And it also comes as Microsoft is trying to rewrite the rules for its dealings with computer security companies to stop them from revealing its security errors until it has found a cure for them - however long that takes.

Hotmail hole

In this case the programmer, Marc Slemko, found a way to get Hotmail users' credit card numbers simply by sending them an e-mail.

He exploited a feature of the system that allows users to buy goods from sites using Passport without having to sign in again - as long as they have signed into Hotmail no more than 15 minutes earlier.

By sending a given user an email containg a carefully crafted bit of code, Mr Slemko showed he could get access to credit card details as long as the user replied within the 15-minute margin.

Mr Slemko alerted Microsoft to the exploit before publishing the details, and his website says the company corrected it within 48 hours.

See also:

02 Nov 01 | Business
Microsoft deal 'faces delay'
24 Oct 01 | Sci/Tech
Microsoft's XP extends reach
06 Sep 01 | Business
U-turn on Microsoft break-up
13 Jul 01 | Business
US seeks quick end to Microsoft case
18 Oct 01 | Business
Microsoft beats expectations
19 Jul 01 | Business
Microsoft asks for court review
13 Jul 01 | Business
New Mexico breaks ranks on Microsoft
12 Jul 01 | Business
Microsoft in Windows climbdown
25 Oct 01 | Sci/Tech
Windows XP hits the streets
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Business stories are at the foot of the page.

E-mail this story to a friend

Links to more Business stories