Microsoft has shut down a flaw in its Passport service that could reveal users' critical personal information, a company spokesman confirmed today (Thursday).
The flaw, which was reported to the company lateon Wednesday, was located in the service's password recovery system and would allow attackers to change an account password if they knew the user name.
Adam Sohn, a product manager with the Passport team, said today that the flaw has been shut down and that Microsoft is working to quickly fix the matter.
While Sohn said a preliminary investigation suggested that the vulnerability was not seriously exploited, it could, potentially, pose a large security threat to Passport users who store critical personal information, such as credit card information, with the service to access various online sites and services without having to retype information.
The vulnerability was in the function that allowed users to request a forgotten Passport password via e-mail. By tricking the system into initiating an e-mail password reset process, a malicious attacker could then request that the password be sent to a different e-mail address, Sohn said.
Microsoft has turned off this feature while it fixes the problem, and users requesting a forgotten password were instructed to use other means, such as going through the customer service support page.
Sohn said the problem should be fixed "within hours" and that the company is investigating the matter.