Passport woes point to process, credibility problems

The disclosure Wednesday of a serious security vulnerability in the .Net Passport service underscored shortcomings with the development and management of the single sign-on technology and may undermine Microsoft’s efforts to win wider adoption of Passport among businesses and individuals, an industry analyst said.

The disclosure Wednesday of a serious security vulnerability in the .Net Passport service underscored shortcomings with the development and management of the single sign-on technology and may undermine Microsoft’s efforts to win wider adoption of Passport among businesses and individuals, an industry analyst said.

The flaw came to the company’s attention late Wednesday after details about it were posted to an online software vulnerability discussion list. 

The vulnerability was in a function that enabled Passport users who had forgotten their password to change it using an e-mail message sent to an address associated with their Passport account. The flaw enabled an attacker to have the password update e-mail sent to an e-mail address of their choice, and required little more than knowledge of their victim’s e-mail address to use.

Microsoft scrambled late Wednesday and Thursday to turn off the e-mail update feature and patch the problem, according to Adam Sohn, product manager of Passport at Microsoft. The password update feature was patched and the password e-mail service restored by early Thursday morning, with only a “handful” of .Net Passport customers affected, Sohn said.

However, with 200 million registered users and Passport Wallet features that hold sensitive financial information, the issue raises questions about the security of the entire Passport service, according John Pescatore, an analyst with Gartner.

“This definitely raises the possibility that there are larger security issues (with Passport),” he said.

The fact that such a glaring security hole was discovered by someone outside of Microsoft, years after Passport’s debut, does not bode well for the service, Pescatore said.

“We’re talking about a back door to reset a password. From the security testing point of view, those things are a lot easier to find than buffer overflows,” he said.

The password vulnerability discovered Wednesday may indicate Microsoft is not holding its services such as Passport and MSN TV up to the same scrutiny as its server and desktop products when it comes to security, Pescatore said.

But Sohn defended Passport’s security, saying that Microsoft conducted security training and code reviews for Passport in a similar way that it did for Windows Server 2003 and other products, though not on the same scale.

“It’s not a system that’s rife (with errors). It’s a hardened system. We feel we employ very high levels of scrutiny,” he said.

Microsoft was making progress through its Trustworthy Computing initiative and, despite other publicized vulnerabilities in recent years, there is little evidence of customer information being compromised, Sohn said.

While it was too early in the investigation to say whether Microsoft’s security testing tools and procedures were to blame, Microsoft will review the Passport code review process and testing tools to figure out how the security hole was left open, Sohn said.

“We want to go out and figure out in a granular way how these got through,” he said.

Also under scrutiny will be Microsoft’s bug reporting systems for Passport, according to Sohn.

Repeated efforts to contact Microsoft regarding the password problem allegedly went unanswered, according to an e-mail sent to the Full-Disclosure public mailing list by Muhammad Faisal Rauf Danka, who first reported the issue.

While Microsoft has yet to confirm or deny those allegations, Sohn acknowledged that it was possible that Danka’s e-mails went undetected by Microsoft.

Systems for processing support requests and other problems reported by Passport’s millions of users rely on “a lot of automation and natural language processing,” he said.

“It’s possible that there is some mail sitting there or that the system didn’t know what to do with his piece of mail,” Sohn said.

Ironically, Microsoft’s Security Response Center received Mr. Danka’s message only after it was forwarded to them by the company’s campus security, which manages the physical security of Microsoft’s buildings, according to Sohn.

At that point, however, Danka’s message had already been posted to the Internet, he said.

Microsoft will likely revamp its forms and procedures for submitting issues regarding Passport, in an effort to ensure that critical items are directed to its Security Response Center, Sohn said.

Microsoft will also look to improve the automation technology and ferret out high priority issues from the millions of low-level account and authentication queries that are submitted each day, he said.

Regardless of what steps the company takes going forward, the latest disclosure of a critical security vulnerability is likely to further erode Passport’s already shaky standing among businesses, Pescatore said.

“Businesses are worried about risks and this makes them even more worried,” he said. “If you see one termite, chances are there are a lot more under the surface.”