Microsoft Shuts Down Passport Service
To Fix Flaw in Credit-Card Security
interactive.wsj.com
By DON CLARK
Staff Reporter of THE WALL STREET JOURNAL
Microsoft Corp. closed a portion of its Passport Internet authentication service for more than 48 hours to address a security problem that could disclose users' credit-card information under some circumstances.
The problem comes as the Redmond, Wash., software company prepares to host a high-profile security conference, at which the company is expected to propose that companies and computer experts agree to limit disclosure of information about security issues.
Passport is a free Internet service that offers users a way to log on to multiple Web sites while entering their user names and passwords only once. That authentication function -- which is being offered to sites Microsoft runs as well as other companies' services -- is a steppingstone to Microsoft's plans to roll out additional paid Web services. Users of Microsoft's popular free e-mail service, Hotmail, automatically get Passport accounts.
The security problem is associated with Passport's wallet service, also called Express Checkout, which is an option that allows users to store credit-card and shipping information to reduce the keystrokes needed to make purchases on e-commerce sites.
A Seattle-area programmer, Marc Slemko, discovered the flaw and informed Microsoft of it last week. He conceived of a way to send a booby-trapped message to Hotmail users that can be used to steal personal information from their Passport wallet accounts. It works when Hotmail users open the message shortly after logging on and relies on a technique called cross-scripting.
An attacker can use the techniques to steal special strings of text, known as cookies, that are placed in a browser when a user visits a Web site. Stolen cookies can be used to fool the Passport service into giving up information such as a user's credit-card data, Microsoft said.
Adam Sohn, a Microsoft product manager associated with Passport, said the company quickly figured out a way to fix the immediate problem but kept the service offline for about two days, from Thursday to Saturday, as it evaluated other security issues suggested by Mr. Slemko's discovery. "There is zero evidence that anyone took advantage of this flaw," Mr. Sohn said.
But the problem comes at an inopportune time. Microsoft is trying to get more companies to use Web services such as Passport, which claims more than 160 million users, and improve its own image for operating such services reliably.
"If Microsoft's security isn't up to par, what happens when more sites start using Passport?" Mr. Slemko asked.
Next week, Microsoft is convening what it is calling the Trusted Computing Forum in Mountain View, Calif., to discuss security issues. Among other things, Microsoft and other participants are expected to discuss ways to work together to limit what information is disclosed about the details of security flaws. Robert Culp, manager of Microsoft's security-response center, argued in an essay last month that "information anarchy" is contributing to the rapid spread of virus programs and other destructive actions by malicious hackers.
Some security professionals believe that full disclosure of technical details is important to let the widest collection of experts study problems and solutions to them.
"We are committed to working with our partners to come up with a consensus on this tough issue of security vulnerability disclosure," a Microsoft spokesman said during the weekend. |
