Passport woes point to process and credibility problems

The disclosure of a serious security vulnerability in the .net Passport service last week underscored shortcomings with the...

The disclosure of a serious security vulnerability in the .net Passport service last week underscored shortcomings with the development and management of the single sign-on technology.

The problems may also undermine Microsoft's efforts to win wider adoption of Passport among businesses and individuals, an industry analyst said.

The vulnerability was in a function that enabled Passport users who had forgotten their password to change it using an e-mail message sent to an address associated with their Passport account.

The flaw enabled an attacker to have the password update e-mail sent to an e-mail address of their choice, and required little more than knowledge of their victim's e-mail address.

Microsoft scrambled last week to turn off the e-mail update feature and patch the problem, according to Adam Sohn, product manager of Passport at Microsoft. The password update feature was patched and the password e-mail service restored, with only a "handful" of .net Passport customers affected, Sohn said.

However, with 200 million registered users and Passport Wallet features that hold sensitive financial information, John Pescatore, an analyst with Gartner, said, "This definitely raises the possibility that there are larger security issues [with Passport]."

Someone outside of Microsoft discovered the security hole years after Passport's debut which, Pescatore said, did not bode well for the service.

"We're talking about a back door to reset a password. From the security testing point of view, those things are a lot easier to find than buffer overflows," he said.

The password vulnerability discovered may indicate Microsoft is not holding its services such as Passport and MSN TV up to the same scrutiny as its server and desktop products when it comes to security, Pescatore said.

But Sohn defended Passport's security, saying that Microsoft conducted security training and code reviews for Passport in a similar way that it did for Windows Server 2003 and other products, though not on the same scale.

"It's not a system that's rife [with errors]. It's a hardened system. We feel we employ very high levels of scrutiny," he said.

Microsoft was making progress through its Trustworthy Computing initiative and, despite other publicised vulnerabilities in recent years, there is little evidence of customer information being compromised, Sohn said.

While it was too early in the investigation to say whether Microsoft's security testing tools and procedures were to blame, Microsoft will review the Passport code review process and testing tools to figure out how the security hole was left open.

"We want to go out and figure out in a granular way how these got through," Sohn said.

Microsoft's bug reporting systems for Passport will also come under scrutiny.

Repeated efforts to contact Microsoft regarding the password problem allegedly went unanswered, according to an e-mail sent to the Full-Disclosure public mailing list by Muhammad Faisal Rauf Danka, who first reported the issue.

While Microsoft has yet to confirm or deny those allegations, Sohn acknowledged that it was possible that Danka's e-mails went undetected by Microsoft.

Systems for processing support requests and other problems reported by Passport's millions of users rely on "a lot of automation and natural language processing", he said.

"It's possible that there is some mail sitting there or that the system didn't know what to do with his piece of mail."

Regardless of what steps the company takes, the latest disclosure of a critical security vulnerability is likely to further erode Passport's already shaky standing among businesses, Pescatore said.

"Businesses are worried about risks and this makes them even more worried," he said. "If you see one termite, chances are there are a lot more under the surface."

Read more on Hackers and cybercrime prevention