Hole found in Microsoft's Passport wallet

Vulnerabilities discovered in Microsoft Corp.'s free e-mail and Passport authentication services allowed a programmer to access credit card information stored on the company's servers, forcing it to shut down the electronic wallet feature in Passport until it can fix the problem, Microsoft confirmed Friday.

By exploiting holes in Microsoft's Hotmail e-mail service, as well as the Passport.com Web site used behind the scenes when a user logs onto Passport, a Seattle-based programmer was able to create a program which he said exposed personal information submitted by subscribers. The Web site Wired News first reported the exploit after testing the vulnerability with the programmer who discovered it.

"We took some quick steps to verify and fix the issues," said Adam Sohn, a product manager with Microsoft's .Net team. "As a general safety precaution we made the decision to take the (wallet) service off line."

He said there is no evidence that anyone exploited the holes or that information was compromised before the fixes were made Thursday afternoon. Microsoft will reinstate the wallet service soon, he said.

Passport allows users to log on to the Web once and then gain access to a range of Microsoft properties and services, from its MSN network of Web sites to the Web services it is rolling out called .Net My Services. The company also has deals with third-party Web sites, such as eBay Inc. and Starbucks.com, that allows users to log into those sites without re-entering their user name and password.

The electronic wallet feature of Passport, called Passport Express Purchase, stores credit card information and mailing addresses so that users can also make purchases at Web sites that support the technology.

Marc Slemko, a software engineer and founding member of the Apache Software Foundation, identified the vulnerability after discovering what he described as a series of weaknesses with Microsoft's Internet services. "I started looking at the security of Passport when Microsoft began pushing it for much broader use," he said Friday.

Slemko wrote a program that can be used to reveal information in a user's Passport wallet in the minutes after that user logs into their Hotmail account, he said. To do so he took advantage of a vulnerability known as "cross-site scripting." Simply put, this weakness can allow a malicious coder to get between a Web site and a user's machine and compromise the securiuty of the connection.

Sohn said cross-site scripting is a vulnerability that affects the Internet as a whole, not just Microsoft's services. "This is a very sophisticated exploit," he said, adding that it takes "considerable expertise" to recreate the process. For those who do, it is even more difficult to actually steal any information, he said.

When a user signs onto Passport there is a five-minute period in which information in their wallet becomes accessible, allowing them to make an electronic purchase. After that time period, a user would need to re-enter their login and password to use the wallet.

Slemko said his program uses cross-site scripting to access user information during that five-minute window. Microsoft has reduced the window to about one minute since it was alerted to the problem, according to Sohn.

The exploit was successfully tested on the Internet Explorer 5.5 and 6.0 Web browsers running on Windows 2000 and Windows 98 machines, Slemko said. Windows XP users were never affected because security has been beefed up in the new operating system, Sohn said.

Passport is used by 165 million subscribers, and about 2 million of those users also have electronic wallet accounts, according to Microsoft. The service is a central component in Microsoft's strategy to provide software and services that will allow users to share information on the Web among a variety of devices and applications.

Slemko has created a Web site at http://alive.znep.com/~marcs/passport/, which details his findings and discusses what he said are other security issues with Passport.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Berger

Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?