Vulnerabilities discovered in Microsoft's free e-mail and Passport authentication services allowed a programmer to access credit card information stored on the company's servers, forcing it to shut down the electronic wallet feature in Passport until it can fix the problem, Microsoft confirmed Friday.
By exploiting holes in Microsoft's Hotmail e-mail service, as well as the Passport.com Web site used behind the scenes when a user logs onto Passport, a Seattle-based programmer was able to create a program which he said exposed personal information submitted by subscribers. The Web site Wired News first reported the exploit after testing the vulnerability with the programmer who discovered it.
"We took some quick steps to verify and fix the issues," said Adam Sohn, a product manager with Microsoft's .Net team. "As a general safety precaution we made the decision to take the (wallet) service off line."
He said there is no evidence that anyone exploited the holes or that information was compromised before the fixes were made Thursday afternoon. Microsoft will reinstate the wallet service soon, he said.
Passport allows users to log on to the Web once and then gain access to a range of Microsoft properties and services, from its MSN network of Web sites to the Web services it is rolling out called .Net My Services. The company also has deals with third-party Web sites, such as eBay and Starbucks.com, that allows users to log into those sites without re-entering their user name and password.
The electronic wallet feature of Passport, called Passport Express Purchase, stores credit card information and mailing addresses so that users can also make purchases at Web sites that support the technology.
Marc Slemko, a software engineer and founding member of the Apache Software Foundation, identified the vulnerability after discovering what he described as a series of weaknesses with Microsoft's Internet services. "I started looking at the security of Passport when Microsoft began pushing it for much broader use," he said Friday.
Slemko has created a Web site at http://alive.znep.com/~marcs/passport/, which details his findings and discusses what he said are other security issues with Passport.