[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 9 May, 2003, 12:20 GMT 13:20 UK
Microsoft in the dock over security
Microsoft boss Bill Gates
Bill Gates has promised more secure Microsoft software
Microsoft's latest security blunder was the result of an obvious hole that should have been plugged months ago, says technology analyst Bill Thompson.

Technology news sites around the web have been up in outrage over the latest security flaw in Microsoft's Passport service.

Everyone has found space to criticise the apparent sloppiness of the developers at Microsoft, who had left an obvious hole in the way it deals with lost passwords.

In case you are not one of the 200 million people who have signed up, a number which includes every Hotmail user, Passport lets you set up a single online identity which you can use when visiting a wide range of websites.

You store your personal information with Passport and it is handed over to participating websites based on what you decide, and you do not need to remember lots of login names and passwords.

In theory it is a useful service, although there were enough concerns about such a key component of the net's infrastructure being in Microsoft's hands that a number of other companies got together to form the Liberty Alliance to create an alternative, more open, way of doing the same thing.

Simple hack

Now it seems that a flaw in the password reset mechanism has left Passport completely open to any drive-by hacker, random stranger or friend with a grudge.

It is the sort of programming error that you would expect from a web developer fresh from college
Bill Thompson

If you cannot remember your password then you can go to the Passport site and ask for it to be reset. When you click on the link, the service e-mails a URL to your e-mail address, and you click on that URL to get your new password.

It is simple and it works.

Unfortunately, the link you click on to ask Passport for a new password includes both the details of the account you want reset and the e-mail address to which it sends the generated URL.

If you copy this URL, edit the e-mail address field, and then send it to Passport you can get the link sent to any address you want, after which the Passport account is yours.

It is such an obvious error that it must have been noticed months, if not years, ago by people who decided that this was such a good trick they would not bother telling Microsoft.

It is the sort of programming error that you would expect from a web developer fresh from college. And although it has now been fixed - so do not bother trying it at home - it has been there for a very long time indeed.

$2.2 trillion fine?

Fortunately for those of us who think incompetence should be punished just as virtue should be rewarded, this latest error could cost Microsoft more than $2 trillion in fines.

Bill Thompson
Microsoft's system has been vulnerable to attack for months
This is because Microsoft has already been in trouble over Passport before, and last year the US Federal Trade Commission told it to sort out its act or face a fine of up to $11,000 each time customer privacy was violated.

With around 200 million customers whose privacy has been compromised by the problem, that comes to $2.2 trillion, a sum which even Bill Gates would find hard to find.

In Europe we have data protection laws that applies to every company. But since the US Government believes that protecting personal privacy should be left to the market, the FTC has to threaten you first. They have done that, and this problem might finally persuade them to take some serious action.

Any real fine will be nowhere near the maximum, since the number of people who have had their accounts broken into is probably in the thousands.

Few of us have been foolish enough to keep credit card details in a Passport, and most hackers will have used the flaw to get access to people's e-mail instead.

This may be embarrassing but is unlikely to lead to financial loss. Still, it would be refreshing to see a big company have to pay for such a security lapse and it might encourage others to take the issue more seriously.


Send us your comments:

Name:
Your E-mail address:
Country:
Comments:

Disclaimer: The BBC may edit your comments and cannot guarantee that all emails will be published.


Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.



RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific