More .NET Passport security doubts raised

New security flaws have been discovered in Microsoft .NET Passport. If you have (or suspect you have) employees using Hotmail to exchange confidential corporate information, you should be especially concerned about this. Here's a detailed look.

Another security vulnerability has been discovered in Microsoft's widely used .NET Passport online verification system. This is the second problem with .NET Passport in just two months, and it's causing even more people to rethink the wisdom of using the Microsoft identity management service.

Microsoft says it has corrected this threat, which it described as being a minor problem, but the company criticized the person who posted the information in a public forum. The July 2, 2003, Australian IT news report quotes the discoverer, Victor Manuel Alvarez Castro, of Mexico, as saying that he made the threat public only after he attempted without success to notify Microsoft via e-mail.

A story in Information Week gives few additional details and no information about just how Microsoft fixed the problem, which allowed attackers to obtain the passwords of early .NET Passport adopters by giving only minimal personal information, such as their e-mail address and zip code.

This is actually the third Passport problem made public since Microsoft reached a settlement agreement with the Federal Trade Commission last year as a result of FTC charges that Microsoft's claims for the security of .NET Passport were, to put it nicely, exaggerated.

Since the earlier vulnerabilities were passed over in this column because of more pressing threats, we'll look at the two May 2003 .NET Passport problems here as well.

Both earlier Passport problems were reported by a group calling itself Pakistani CERT in PakCERT Security Advisory PC-080503, "Multiple Vulnerabilities Found in Microsoft .NET Passport Services," May 8, 2003.

The first issue identified by PakCERT was a way to bypass the security questions required before Passport would issue a new password to a subscriber. The second problem was another password flaw. PakCERT didn't give any details at the time, saying the vulnerabilities were too easy to exploit. However, another source did detail one of these exploits online. Microsoft offered this very brief explanation of the fix the company implemented to address the second Passport problem.

This year's problems aren't the first for Passport either. Security guru Mark Smelko outlined a way to compromise a Passport Wallet containing credit card information back in 2001.

For a general look at the dangers posed by Passport, and any other similar service, check out "Risks of the Passport Single Signon Protocol," a whitepaper written a couple of years ago by two of Ma Bell's boys at the AT&T research labs.

If you've had a Hotmail account for several years and someone knows both your address and your approximate physical location, they could easily hijack your Passport identity. This applies to anyone using a Hotmail account from any type of operating system.

Risk level
This is a moderate threat for most users, but it is critical for those who store credit card information in a Passport Wallet.

Mitigating factors
More recent .NET Passport accounts were set up using a secret question to verify the identity of the account owner before a password could be reset. This will reduce or eliminate the threat to those accounts, except for attackers with fairly detailed information about the victim.

A lot of the news reports about this latest flaw downplayed the risk, pointing out that you need to know the user's state and zip code, as well as their e-mail address. Of course, if you have a zip code, you can convert that into the city and state in a few seconds using the Internet.

I found the initial report of a fix in my daily e-mail from, which is often the first security organization to see new attacks. Microsoft didn't release any details. They simply announced that the problem had been addressed by suspending the secret question feature for a few hours and then patching the software.

Final word
I have a .NET Passport account, since it's unavoidable if you have a Hotmail account, but I do not provide Microsoft with any sensitive or even factual information. Like most security-conscious people, I have an in-depth online alias that extends to personal information, not just a username.

Since Microsoft, in general, and Passport, specifically, have had so many security problems, I find it difficult to believe that anyone using the Web for any serious business would risk giving Microsoft any more personal information than is absolutely necessary to get their software to work. Nevertheless, many people are using free Hotmail accounts and may include significant corporate information in some of those e-mails—which is probably the real threat here, even more than the disclosure of what the users may have told Passport.

I always view any information in any e-mail account as being exposed to the people who manage the servers. In this case, that makes virtually any information in Hotmail messages susceptible to reading by hackers. It's an interesting coincidence that a recent CBS MarketWatch story reported that 22 percent of organizations have fired an employee for some form of inappropriate use of e-mail messaging.

Also watch out for:
  • The Security Breach Information Act (SBIA) has now gone into effect. SBIA requires companies doing business with anyone in California to inform clients in the event of a suspected security breach that might have resulted in exposure of personal information that could be used as part of an identity theft scam. See the full story in this article or check out the text of the law. It's important to note that Microsoft .NET Passport problems could trigger this law. In related news, Senator Dianne Feinstein (D-California) has introduced a similar national bill in the U.S. Senate.
  • Security Focus has reported that PetCo fixed a threat to 500,000 users' credit card numbers over the weekend (possibly saving itself the problem of determining how many users live in California and filing a report to that effect).
  • Security Focus has also kindly posted a link to the 53 known SQL injection threats as listed in BugTraq. Apparently, not every e-commerce site has gotten the word, despite the fact that the Guess Jeans company has been charged by the FTC in conjunction with SQL injection-related problems.
  • A report on says the Sophos antivirus security firm has seen a 17 percent increase in the number of viruses so far this year. You can also read the Sophos press release, where the company claims seeing 3,855 new viruses in the first half of 2003. The company also points out that eight of the top 10 viruses this year spread via multiple channels (e.g., e-mail, IM, and P2P programs). Of course, virus attacks are key to Sophos' business, so you have to take the report with a small grain of salt. Still, this is a legitimate report, and the company details the top virus hoaxes of the year so far. The Symantec site also lists several viruses, but you'll note that most of them have a low threat rating.


Editor's Picks

Free Newsletters, In your Inbox