Another serious hack of Microsoft Passport.
The flaw allowed a single Web address--or URL--to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account's password to be reset. By following the link returned in the message, the attacker can change the password for the victim's account.

Bugs like this are incredibly common, usually not worth reporting. But Passport is different. Passport wants to be the single trusted repository of personal data, all your eggs in one basket. I worry they don't have a fundamental systems security model to make that safe.

This isn't the first time Passport has been hacked, either.

  2003-05-08 15:37 Z