Marc Slemko, a Seattle developer, demonstrated that he could retrieve all of a user's cookies and use them to access that person's Passport information any time the user viewed one of Slemko's messages within 15 minutes of signing on to Hotmail (which now requires Passport).
After notifying Microsoft, and being assured that the company was temporarily taking its Express Purchase system offline on November 1, Slemko published a white paper on this and other severe security problems with Passport.
I'm glad to see that a little guy can still wield some influence over the behaviour of a software giant. The weakness in Passport that Slemko forced Microsoft to address was similar to, but different from, the major problem that I warned readers about a couple of months ago.
That problem, which still exists, is that Windows 95, 98 and Windows Me leave a user's ID and password visible in memory, where any rogue email or Trojan horse can retrieve it during a user's dial-up connection to an ISP and for 10 minutes afterward. In Slemko's case, the 15-minute vulnerability was due to a cache on Microsoft's Passport web server.
Microsoft reduced the Passport server timeout and placed Express Purchase back online on November 3. The company said in a statement that the vulnerability would not have affected users running the new Windows XP operating system.
But Microsoft didn't wait until customers had XP before requiring millions of Hotmail subscribers to use Passport to log on. There are hundreds of millions of vulnerable PCs out there and Microsoft now requires that Passport be the only way to access an increasing number of services.
In an email interview, Slemko stressed that the specific hole he demonstrated isn't the point. "The issues I raised apply to the use of Passport in general, and become more and more important with every new site that uses Passport," he said.
"Passport is lacking in features that are necessary to protect the security and privacy of users with the sites deployed using it today, let alone the even higher level required if Passport is to be deployed in the pervasive way that Microsoft envisions," Slemko added. "Some of the flaws I came across are such trivial implementation flaws that you have to question Microsoft's commitment."
In other words, reducing a server timeout in no way solves the larger problem. There's more going on. I'd be interested to hear your findings, too.
Brian Livingston's latest book is Windows Me Secrets. Send tips to firstname.lastname@example.org.