[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 9 May, 2003, 19:53 GMT 20:53 UK
Flaw exposes Microsoft ID service
Screen grab of Passport website, Microsoft
The online ID service has been vulnerable for months
Microsoft has admitted that for the last seven months up to 200 million Passport accounts have been vulnerable to plundering by thieves and malicious hackers.

The loophole in the online identity service only seems to have been exploited in the last month and Microsoft said it had locked all compromised accounts and fixed the bug.

The vulnerability lets a criminal get access to a Passport account using a specific web address and a trigger phrase.

It was discovered by a Pakistani researcher who had some of his own accounts hijacked by hackers exploiting the flaw.

Simple attack

Passport is closely tied to Microsoft's Windows XP, Hotmail and instant messaging products.

It was so simple to do it. It shouldn't have been so simple. Anyone could have done this
Muhammad Faisal Rauf Danka, Pakistani researcher

Some online businesses use Passport as an ID guarantee to let people access personalised accounts and buy goods or services online.

Criminals exploiting the flaw could have gained access to personal information, credit card details and online mail accounts.

The Passport bug was found by Muhammad Faisal Rauf Danka, a freelance computer security consultant.

Some of the Passport accounts owned by Mr Danka and his friends had been hijacked.

In discovering how this was done, he found the website that gives privileged access to personal accounts and lets passwords be reset.

"It was so simple to do it. It shouldn't have been so simple," said Mr Danka, "Anyone could have done this."

Reportedly Mr Danka sent 10 messages to Microsoft detailing the vulnerability but got no response.

Microsoft only reacted when information about the flaw was posted online

The flaw has left 200 million Passport accounts vulnerable for the last seven months. The website giving access to the accounts has now been shut down.

The security lapse is embarrassing for Microsoft which is trying to shed its image of a software maker with a lax attitude to security.

The bug could leave the software giant open to fines from the US Federal Trade Commission.

Under an agreement reached with the FTC in mid-2002 Microsoft said it would take reasonable steps to protect Passport accounts, pledged to stop overselling the security of the sign-in system and agreed to pay fines if it failed in its duty.

Microsoft potentially faces an enormous fine if the full fee of $11,000 per security lapse is applied.


Your comments

Lack of responsible computing is to blame here
Jason Wickens, UK
Let's all have a go at Microsoft. No I don't think they are brilliant either, but they are the best there is. Linux is NOT a realistic alternative. I have been in the IT industry for over 15 years and have seen how it has come on leaps and bounds thanks to everybody understanding being compatible with the industry standard, which is synonymous with Microsoft formats. Yes, they do have lots of security flaws as they are the only target for hackers etc...but lack of responsible computing is to blame here.
Jason Wickens, UK

Are we really surprised by this? My MSN account has to have been hacked, I can't think of any other reason why every company on the net can send me an e-mail. Which, by the way, penetrate the "impenetrable" MS security every time.
Matthew Wall, USA

It's become a daily ritual for me to delete 50 or so, spam mails in my Hotmail account. Most of them are from porn sites and some unknown sites selling all kinds of products. I have been careful with registering my details. I had mailed Microsoft couple of times earlier regarding this issue and no response. Only mails from them warning my inbox is brimming to its capacity.
Suresh V P, UK

They replied telling me that their software is secure
Jon Hoyle, England
A few months ago I was receiving e-mails from two companies selling firewall and "evidence removal" software. These mails appeared to come from the friends out of my address book although none of them had sent them. I informed Microsoft of the IP address the mails were coming from and they replied telling me that their software is secure but if I was worried I should change my password.
Jon Hoyle, England

I also had this done to my account and the fact that it took 10 e-mails for them to react to it is absolutely pathetic and isn't heard of among any other respected companies in the realm of computers.
Brett Butcher, England

I have been affected by this. Someone has been retrieving my emails without me knowing about it. I do not think that I have to explain the damage that could have been and still can be caused by that malicious act. After a while someone changed the password on my hotmail account. Till this day I am unable to get into my mailbox. I feel violated. I have lost trust to any of the web based e-mail providers.
Marzena, USA

I had all my accounts hacked in March. I sent the details and the person's address involved (he told me what he did!) to Microsoft. They ignored my letter and I never had a reply.
James Andrew, Bahrain

When I signed in to check my hotmail account on my new laptop, it automatically signs on to the Windows messenger. In a couple of minutes without failure I would have a pop up message notifying me that I have been signed out at the current location since I logged in at another location. I sent mail to MS but never got anything back from them. I hope that now they will take care of this issue, if not they should be made to pay for it.
Ravi Prakash, USA

The hotmail address is kept well away from my children
Ken Whalley, UK
I have about 10 e-mail addresses, one of which is a hotmail account. I never have any problems with the other nine addresses. But the hotmail address is kept well away from my children as all I get are emails advertising porn web sites. I have never gone to any site and given this address to anybody, but get two or three e-mails a day via the hotmail account. Every porn site in the US knows my hotmail address so I would never trust Microsoft with any personal details.
Ken Whalley, UK

I was not surprised to hear that he emailed Microsoft 10 times with no response. These companies have become so arrogant and so far removed from the real user experience that their customers have to go through, that they are hiding behind their bots who now provide "customer service", and humans are either nowhere to be seen, or so ignorant of their own systems that they are no help anyway.
Robert, UK

Time has come for everyone to switch over to Linux. Microsoft products have lacked security and stability and I think this will remain so in the foreseeable future. One has but the most compelling reasons to start using Linux. Linux is not only stable, but also very secure. There is no such concept of virus attacks etc. in Linux. I am personally using Linux in my machine (which I haven't yet re-booted since the last three months) and never have faced such problems. The problems which are so common to Microsoft users were never even heard of by us.
Ashik Iqubal, India

I am a seasoned web developer, and Microsoft has a role in almost every task of my profession. This error does not surprise me at all, because I have dealt with Microsoft's software my entire career. Microsoft continues to add new features to its products, but does not appear to desire seamless, quality programming as the foundation for its software!. I really hope Microsoft can shape up because it often makes my work frustrating. Maybe this security breach will be a wake-up call for them, although I doubt it.
Benjamin Proctor, USA

Our privacy is very dear to us and everything should be done to avoid unauthorised persons from having access to it. Microsoft tried its best to protect us at cost, but we programmers sometime make mistakes. Looking at the benefits we get from Microsoft services and programs, I think we all should forgive it for whatever loss we have suffered.
T Obediah Cooper, Liberia




SEE ALSO:
Signs point to smarter websites
17 Jul 02  |  Science/Nature
Closing the holes on hackers
03 May 03  |  Technology
Warning of serious Windows hole
21 Nov 02  |  Technology
Microsoft rapped over privacy failings
08 Aug 02  |  Technology
Microsoft to tackle security failings
17 Jan 02  |  Science/Nature
Microsoft opens up Windows
22 Apr 03  |  Technology
Microsoft agrees $1.1bn legal deal
11 Jan 03  |  Business
Microsoft in the dock over security
09 May 03  |  Technology


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific