Microsoft plugged another security hole in its .Net Passport solution this week. A few days earlier Victor Manuel Alvarez Castro posted a message to a vulnerability discussion mailing list that discussed details of the problem.
By taking advantage of the "Secret Question" feature of Passport, an intruder could reset an account password and thereby take control of that account. The problem resides in the fact that the "Secret Question" feature was implemented later in the design of Passport, which meant that earlier Passport accounts often had no related "Secret Question." Those accounts that had no "Secret Question" data were vulnerable to hijacking.
Upon learning that the exploitable problem had been posted to the Internet, Microsoft quickly reacted to fix the problem. This is the second time in about 60 days that Passport has been shown to have serious flaws that let an intruder take over accounts.
Microsoft had previously come under severe scrutiny from the Federal Trade Commission (FTC) for making false claims about Passport security. An agreement struck with the FTC remains in affect for 20 years and requires that the company regularly subject itself to third-party scrutiny to gauge the security of Passport. Back in August 2002, Brian Arbogast, the Microsoft corporate vice president responsible for Passport had said, "We will also ensure that a third-party professional firm reviews, advises us, and ultimately certifies that our information-security program is designed and operates with sufficient effectiveness to provide reasonable assurances that the security, confidentiality, and integrity of every Passport user's information is protected."