According to a message posted by Muhammad Faisal Rauf Danka to the Bugtraq mailing list, Microsoft's .NET Passport service is wide open to attack by using a Passport user's Hotmail account to reset the password.
Danka claims to have found a certain Passport URL that anyone can enter into a Web browser and thereby hijack a user's Passport account. According to Danka, by tweaking the email address variables of the URL a password change confirmation message can be sent to a specified email address instead of the Passport account owner's email address. The email message contains another URL, and when a potential account hijacker clicks it, he or she can reset the Passport logon password. This effectively bypasses Passport's security checks that requires users to answer specific questions before being allowed to reset an account password. With the account password in hand, the hijacker then has complete access to the user's Passport account.
Danka said he discovered the vulnerability on April 12 and has tried since then to notify Hotmail of the problem by sending email to various email addresses but has received no response so far. I wonder if Danka realizes that Hotmail is a Microsoft product and that Microsoft has well-known methods for the public to notify them of security vulnerabilities? If you discover security problems in any Microsoft products or services, visit the TechNet Web site where you can notify the company of your concerns.
Microsoft quickly reacted to the vulnerability by removing access to the URL described by Danka. Users reported that the vulnerability appeared to affect older Passport accounts, but not any newer accounts. Microsoft has also disabled user accounts that appear to have been compromised by this specific attack. So as one mailing list reader pointed out, if you tried the exploit using your own Passport account, you might find that your account is now disabled. You'll need to work with Passport to reset your password.