Microsoft in the dock over security

Microsoft in the dock over security

Microsoft's latest security blunder was the result of an obvious hole that should have been plugged months ago, says technology analyst Bill Thompson.

Technology news sites around the web have been up in outrage over the latest security flaw in Microsoft's Passport service.

Everyone has found space to criticise the apparent sloppiness of the developers at Microsoft, who had left an obvious hole in the way it deals with lost passwords.

In case you are not one of the 200 million people who have signed up, a number which includes every Hotmail user, Passport lets you set up a single online identity which you can use when visiting a wide range of websites.

You store your personal information with Passport and it is handed over to participating websites based on what you decide, and you do not need to remember lots of login names and passwords.

In theory it is a useful service, although there were enough concerns about such a key component of the net's infrastructure being in Microsoft's hands that a number of other companies got together to form the Liberty Alliance to create an alternative, more open, way of doing the same thing.

Simple hack

Now it seems that a flaw in the password reset mechanism has left Passport completely open to any drive-by hacker, random stranger or friend with a grudge.

If you cannot remember your password then you can go to the Passport site and ask for it to be reset. When you click on the link, the service e-mails a URL to your e-mail address, and you click on that URL to get your new password.

It is simple and it works.

Unfortunately, the link you click on to ask Passport for a new password includes both the details of the account you want reset and the e-mail address to which it sends the generated URL.

If you copy this URL, edit the e-mail address field, and then send it to Passport you can get the link sent to any address you want, after which the Passport account is yours.

It is such an obvious error that it must have been noticed months, if not years, ago by people who decided that this was such a good trick they would not bother telling Microsoft.

It is the sort of programming error that you would expect from a web developer fresh from college. And although it has now been fixed - so do not bother trying it at home - it has been there for a very long time indeed.

$2.2 trillion fine?

Fortunately for those of us who think incompetence should be punished just as virtue should be rewarded, this latest error could cost Microsoft more than $2 trillion in fines.

This is because Microsoft has already been in trouble over Passport before, and last year the US Federal Trade Commission told it to sort out its act or face a fine of up to $11,000 each time customer privacy was violated.

With around 200 million customers whose privacy has been compromised by the problem, that comes to $2.2 trillion, a sum which even Bill Gates would find hard to find.

In Europe we have data protection laws that applies to every company. But since the US Government believes that protecting personal privacy should be left to the market, the FTC has to threaten you first. They have done that, and this problem might finally persuade them to take some serious action.

Any real fine will be nowhere near the maximum, since the number of people who have had their accounts broken into is probably in the thousands.

Few of us have been foolish enough to keep credit card details in a Passport, and most hackers will have used the flaw to get access to people's e-mail instead.

This may be embarrassing but is unlikely to lead to financial loss. Still, it would be refreshing to see a big company have to pay for such a security lapse and it might encourage others to take the issue more seriously.

Source: BBCi