Microsoft battles Passport vulnerability

Microsoft shut down its free e-mail and Passport authentication services on 2 November after a programmer gained access to credit...

Microsoft shut down its free e-mail and Passport authentication services on 2 November after a programmer gained access to credit card information stored on the company's servers.

By exploiting holes in Microsoft's Hotmail e-mail service, as well as the Web site used behind the scenes when a user logs on to Passport, a Seattle-based programmer was able to create a program that he said exposed personal information submitted by subscribers.

"We took some quick steps to verify and fix the issues," said Adam Sohn, a product manager with Microsoft's .Net team. "As a general safety precaution we made the decision to take the [electronic wallet section of the] service offline."

Sohn said there was no evidence that anyone had exploited the holes or that information had been compromised before the fixes were made on 1 November, and that Microsoft would reinstate the wallet service soon.

Passport enables users to log on to the Web once and then gain access to a range of Microsoft properties and services, from the company's MSN network of Web sites to the Web services it is rolling out called .Net My Services.

The software giant also has deals with third-party Web sites, such as eBay and, which enable users to log on to those sites without re-entering their user name and password.

The electronic wallet feature of Passport, called Passport Express Purchase, stores credit card information and mailing addresses so that users can make purchases at Web sites that support the technology.

Marc Slemko, a software engineer and one of the founding members of the Apache Software Foundation, identified the vulnerability after discovering what he described as a series of weaknesses within Microsoft's Internet sites.

"I started looking at the security of Passport when Microsoft began pushing it for much broader use," he said.

Slemko created a program that he said could be used to reveal information in a user's Passport wallet in the minutes after they log into their Hotmail account. To do so he took advantage of a vulnerability known as "cross-site scripting". This weakness can allow a malicious coder to get between a Web site and a user's machine, and run code on that machine when the user visits the site.

Sohn said cross-site scripting was a vulnerability that affected the Internet as a whole. "This is a very sophisticated exploit," he said, adding that it takes "considerable expertise" to recreate the process. For those who do, it is even more difficult to actually steal any information, Sohn said.

When a user signs on to Passport there is a five-minute window when the information in their wallet becomes accessible, allowing them to make an electronic purchase. After that time period, a user needs to re-enter their login and password to use the wallet, said Microsoft.

Slemko said his program used cross-site scripting to access information about users during that five-minute window. Since discovering the problem, Sohn said that Microsoft had reduced the window to about one minute.

"Part of the complexity of this issue is that it isn't just one hole that makes it vulnerable," Slemko said. "The basic underlying hole is due to the fact that authentication information is cached and shared across pages."

The vulnerability affected Microsoft Internet Explorer 5.5 and 6.0 Web browsers running on Windows 2000 and Windows 98 machines. Windows XP users were not affected because the new operating system has strengthened security features, Sohn said.

Passport is used by 165 million subscribers, according to Microsoft. About two million of those users also have electronic wallet accounts, the company said.

Read more on Operating systems software