The disclosure of a serious security vulnerability in the
.net Passport service last week underscored shortcomings with the
development and management of the single sign-on
technology.The problems may also undermine Microsoft's
efforts to win wider adoption of Passport among businesses and
individuals, an industry analyst said.
The vulnerability was in a function that
enabled Passport users who had forgotten their password to change
it using an e-mail message sent to an address associated with their
Passport account.
The flaw enabled an attacker to have the
password update e-mail sent to an e-mail address of their choice,
and required little more than knowledge of their victim's e-mail
address.
Microsoft scrambled last week to turn off the
e-mail update feature and patch the problem, according to Adam
Sohn, product manager of Passport at Microsoft. The password update
feature was patched and the password e-mail service restored, with
only a "handful" of .net Passport customers affected, Sohn
said.
However, with 200 million registered users and
Passport Wallet features that hold sensitive financial information,
John Pescatore, an analyst with Gartner, said, "This definitely
raises the possibility that there are larger security issues [with
Passport]."
Someone outside of Microsoft discovered the
security hole years after Passport's debut which, Pescatore said,
did not bode well for the service.
"We're talking about a back door to reset a
password. From the security testing point of view, those things are
a lot easier to find than buffer overflows," he said.
The password vulnerability discovered may
indicate Microsoft is not holding its services such as Passport and
MSN TV up to the same scrutiny as its server and desktop products
when it comes to security, Pescatore said.
But Sohn defended Passport's security, saying
that Microsoft conducted security training and code reviews for
Passport in a similar way that it did for Windows Server 2003 and
other products, though not on the same scale.
"It's not a system that's rife [with errors].
It's a hardened system. We feel we employ very high levels of
scrutiny," he said.
Microsoft was making progress through its
Trustworthy Computing initiative and, despite other publicised
vulnerabilities in recent years, there is little evidence of
customer information being compromised, Sohn said.
While it was too early in the investigation to
say whether Microsoft's security testing tools and procedures were
to blame, Microsoft will review the Passport code review process
and testing tools to figure out how the security hole was left
open.
"We want to go out and figure out in a
granular way how these got through," Sohn said.
Microsoft's bug reporting systems for Passport
will also come under scrutiny.
Repeated efforts to contact Microsoft
regarding the password problem allegedly went unanswered, according
to an e-mail sent to the Full-Disclosure public mailing list by
Muhammad Faisal Rauf Danka, who first reported the issue.
While Microsoft has yet to confirm or deny
those allegations, Sohn acknowledged that it was possible that
Danka's e-mails went undetected by Microsoft.
Systems for processing support requests and
other problems reported by Passport's millions of users rely on "a
lot of automation and natural language processing", he said.
"It's possible that there is some mail sitting
there or that the system didn't know what to do with his piece of
mail."
Regardless of what steps the company takes,
the latest disclosure of a critical security vulnerability is
likely to further erode Passport's already shaky standing among
businesses, Pescatore said.
"Businesses are worried about risks and this
makes them even more worried," he said. "If you see one termite,
chances are there are a lot more under the surface."