/ 9 May 2003

Microsoft admits Passport service was vulnerable

Microsoft acknowledged a security flaw in its popular Internet Passport service that left 200-million consumer accounts vulnerable to hackers and thieves — an admission that could expose the company to a hefty fine from US regulators.

Microsoft said it fixed the problem early on Thursday after a Pakistani computer researcher disclosed details of it on the Internet. Product Manager Adam Sohn said the company locked out all accounts it believed had been altered using the flaw. He declined to say how many people were affected but said it was a small number.

Several security experts said they had successfully tested the procedure overnight. Sohn said the flaw had apparently existed since at least September 2002, but Microsoft investigators have found no evidence anyone tried to use the technique to seize a Passport account before last month.

Passport promises consumers a single, convenient method for identifying themselves across different Web sites and encourages purchases online of movies, music, travel and banking services.

Closely tied to Microsoft’s flagship Windows XP software, Passport also controls access for Windows users to the free Hotmail service and instant-messaging accounts.

The incident was yet another embarrassing lapse for Microsoft and could result in sanctions by the Federal Trade Commission and even a staggering fine. The episode occurs in the midst of Microsoft’s ”trustworthy computing initiative” to improve security for all its software products and services.

Under a settlement last summer, the government accused Microsoft of deceptive claims about Passport’s security. In response, the company pledged to take reasonable safeguards to protect those accounts, submit to audits every two years for the next 20 years or risk fines up to $11 000 per violation.

Microsoft declined to say on Thursday whether it had contacted the FTC. The agency’s assistant director for financial practices, Jessica Rich, said any follow-up investigation would be conducted privately, but she added, ”We routinely look into issues that may bear on compliance with our orders.”

Sanctions or fines could be calculated various ways under federal laws, but Rich confirmed that each Passport account that was vulnerable could constitute a separate violation.

”If we were to find that they didn’t take reasonable safeguards to protect the information, that could be an order violation,” Rich said.

Theoretically, that would set the maximum fine at $2,2 trillion — although experts said any fine would be significantly lower. The highest civil penalty previously assessed by the FTC was $4,05-million, against Mazda Motor Corp. in 1999. Sanctions imposed by the FTC will depend on technical details of the flaw and the

adequacy Microsoft’s response over the next few days to prevent any recurrence.

”An important factor is, when does the company tell them about it? What does the company do about it?” said Jodie Bernstein, former director of the agency’s bureau of consumer protection.

”They have discretion. They can consider what has the company done to make sure this doesn’t happen again.”

The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase ”emailpwdreset,” he could seize any Passport account. He said he sent 10 e-mails to Microsoft explaining his findings but never received a response. Sohn said the company was investigating how it

might have missed those reports.

Danka said he discovered the flaw after unknown hackers repeatedly hijacked Passport accounts belonging to him and a friend. He said he found the problem on Microsoft Web’s site that controls Passport accounts about four minutes after he began searching in earnest.

”It was so simple to do it. It shouldn’t have been so simple,” said Danka in Karachi. ”Anyone could have done this.”

Microsoft should have been rejecting such transmissions from anywhere outside the company’s own network, Sohn acknowledged.

Microsoft shut down the affected Web address late Wednesday night, just over one hour after details were published on the Internet.

Those filters were permanently set in place early on Thursday, Sohn said.

”We didn’t validate the input,” Sohn said. ”We allowed somebody external to do something only the system itself should be doing.

Somebody plumbed around.. and figured out they could do this.” – Sapa-AP