New Zealand developers using Microsoft products are relaxed about the recently reported security hole in Microsoft’s Passport service.
The security hole, reported last week (Passport flaw leaves user info up for grabs), allowed attackers to request Passport users’ “forgotten” passwords by email. This would give attackers full access to all information stored in the compromised Passport account, including details such as credit card numbers.
According to Gartner analyst John Pescatore, the flaw calls into question Passport’s reliability.
"This definitely raises the possibility that there are larger security issues [with Passport]," he says. "We're talking about a back door to reset a password. From the security testing point of view, those things are a lot easier to find than buffer overflows," he says.
Microsoft also uses the Passport service as the authentication front-end for a number of its sites used by software developers and beta testers.
Christchurch developer Philip Quinn says Passport is a good idea, but the implementation of it, especially on the security side, appears to leave something to be desired.
Quinn uses two Passport accounts for his work "out of necessity" but would prefer not to use them at all.
Tikiri Wicks, a .Net developer of south Auckland, says he avoids using the Passport service as much as possible, as he feels Microsoft is pushing people into signing up for it.
On those occasions when Wicks uses Passport, he signs up a throw-away freemail account with bogus information rather than using his real email address.
However, EDS Wellington-based information analyst Mark Lawrence that “it is wrong to complain about Passport, as developers are not forced to use it”. Lawrence says he opted to use Passport to access Microsoft Developer Network subscriber-only web content, and for contributing to developer community site GotDotNet. He is “comfortable with this choice”.
Even so, Lawrence has made sure that the information Microsoft holds on him at the Passport service is kept to a “bare minimum”, but adds that this is his policy for “all online information stores”.
Microsoft New Zealand issued a written statement saying that it “takes all reported [security] incidents very seriously. At the time of the issue being reported, Microsoft responded by temporarily disabling the feature by which customers' can reset passwords via email.”