Passport is Microsoft's attempt to create a 'single sign on' system so people don't have to remember hundreds of passwords and usernames in order to go shopping online.
If you have a Hotmail account, then you were at risk, but unless you were naïve enough to trust Passport with your most valuable information, the only danger is that someone might be able to read your private emails--if they can find them among all the spam.
However, if you have have problems logging into your Hotmail account, or another Passport service, and you had to get a new password or open a new account, there is a chance that you were a victim, without ever knowing.
For some reason, Microsoft decided to use a simple URL for Passport's password change function, which means that if I wanted to break into your Passport account, all I needed to know was your username. I would type a particular URL into my browser and within minutes, your username and password would be sent to an e-mail address of my choice.
From that moment, I would have complete access to your Passport account.
The flaw in Passport was such a fundamental error that it makes me cringe whenever I hear the term "trustworthy computing". How can anyone associated with Microsoft keep a straight face when talking about security?
The day after the flaw was discovered--and after Microsoft's finest engineers spent 24 hours fixing the problem--Adam Sohn, product manager for Microsoft's Passport team was speaking with reporters: "[The flaw] was something that slipped through the reviews," said Sohn, who (I'm sure must have been trying to hold back a huge belly laugh) added: "You live and learn."
A little while ago, Microsoft was slapped on the wrists for putting up advertisements that claimed its software would make hackers an extinct species. A judge made the company pull the whole advertising campaign because its claims were a joke.
But the more I think about it, the more it makes sense. Hackers will become extinct because Microsoft "security" is so simple to penetrate that you don't need a hacker; in fact, a trained chimp would be overqualified.
On Microsoft's Web site, the company says it "takes all reported incidents of security issues very seriously and is committed to keeping our customers informed of developments." Well that makes me feel much better. What this tells me is that when (no questions about "if") there is a security problem with a piece of bloatware, the boys in Redmond will tell us about it. Not fix the problem or apologise for being incompetent, but just let us know that a problem existed.
Well thanks guys.
In the terms and conditions of Passport, it says: "Microsoft is not responsible for any loss that you may incur as a result of any unauthorised person using your account or your password." So even though its software is flawed, if someone takes advantage of that flaw, Gates and co. are not responsible.
There are reports that last August, Microsoft promised the Federal Trade Commission (FTC) that it would tighten up its security--including Passport. The FTC now has a legal case to fine Microsoft so heavily that even Redmond's seemingly bottomless bank account would be emptied. This leaves the FTC in a position to clean up the mess left by the Department of Justice.
When I checked my e-mails this morning, I found that Symantec had recently carried out a survey of IT directors and found that, given a magic wand, 40 percent of them would eradicate all the software vulnerabilities in their systems. The survey didn't tell me what the remaining 60 percent would eradicate, but I would like to think that it would be Microsofts' stranglehold on the IT industry.
Go on FTC, show some bottle and wave that wand.
Microsoft's .Net passport infrastructure is crap to say the least.
Sometimes you can't log in, the other day I couldn't log out of a particular passport; which I have written to Microsfot about (not that they reply).