“A serious security flaw in Microsoft’s Passport service put customers’ accounts, including their personal information and credit card numbers, at risk of being hijacked.
The flaw, in Passport’s password recovery mechanism, could have allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure.”
According to the article, the first thing MS did to control damage was to shut off valid users’ ability to reset their passwords! Fairly disturbing. MS takes a lot of heat on the security front. And while their recent efforts to increase OS and application security are laudable, application logic flaws like these aren’t acceptable in widely distributed security solutions, especially ones that hold high value data such as credit card information.
MS has come a long way with their security, but as this flaw highlights, they still have a way to go.
Friday September 10, 2010
Diana Kelley's profile