Passport flaws could hit two million users

Microsoft's .Net strategy sprung a leak at the end of last week when one security watcher pointed out that it is possible to hijack another user's Passport account.

The Redmond Giant is attempting to position its Passport single sign-on authentication service as the only identity that a user should need online.

There are thought to be about two million Passport users who could be vulnerable to the flaw.

The Passport Wallet holds details concerning a user's website accounts, passwords and credit card details.

US researcher, Marc Slemko, has written a paper on the flaws, in which he reveals that an attacker can hijack an account along with its associated passwords and credit card details, by sending a maliciously crafted email.

One of the problems, which Slemko points out and that Microsoft has attempted to fix, is the 15-minute window an attacker has to steal an authentication cookie from the user.

Apparently Microsoft has since cut this authentication window down to two minutes, which should reduce the threat, "but doesn't eliminate it, especially from automated attack," said Slemko.

After Slemko's warnings, Microsoft is looking at ways of ironing out the bugs, including compartmentalising some of the cookies to limit their exposure to threat; moving security to the Kerberos system; adding some "innovative new spoof protection features" to make it harder to steal passwords that way; and beefing up on authentication measures with Microsoft Passport participating sites.

"They [Microsoft] have been very forthcoming and willing to fix things, and do appear to have had various changes in the plans that would reduce some of the threats," said Slemko.