We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Another set back for Microsoft's Passport

Flaw leaves user info up for grabs

Microsoft faces the threat of a hefty fine after scrambling to shut down a flaw in its Passport service that could reveal users' critical personal information.

The flaw, which was reported to the company on Wednesday, was located in the service's password recovery system, allowing attackers to change an account password if they knew the username. Adam Sohn, a product manager with the Passport team, said that the flaw has been shut down and that the company is working quickly to fix the matter.

While Sohn said a preliminary investigation suggested that the vulnerability was not seriously exploited, it could pose a huge security threat to Passport users who store critical personal information, such as credit card information, with the service in order access various online sites and services without having to retype information.

The vulnerability was in the function that allowed users to request a forgotten Passport password via email. By tricking the system into initiating an email password reset process, a malicious attacker could then request that the password be sent to a different email address, Sohn said.

But under an agreement signed with the Federal Trade Commission (FTC) last August, Microsoft promised it would not give false information about security and would seek to improve privacy protection. It could face hefty fines — up to $11,000 per violation — if its reset password feature is found to decrease privacy protection.

The company was unavailable for comment on whether it was in discussions with the FTC over the incident.

Microsoft has turned off the recovery feature while it fixes the problem, and users requesting a forgotten password were instructed to use other means, such as going through the customer service support page.

IDG UK Sites

Microsoft Surface 3 UK release date, price and specs: New Surface tablet offers free upgrade to Win?......

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

Adobe Comp CC iPad app review

IDG UK Sites

April Fool's Day pranks: play these geeky pranks on April Fools Day and fool your friends