Microsoft security service said to allow some account hijackings.
A newly disclosed vulnerability could let attackers reset passwords and hijack older Microsoft .Net Passport accounts, according to a message on an online mailing list discussing software vulnerabilities.
.Net Passport is Microsoft's online identity management service. It enables customers to use a single e-mail address and account password to sign on to a variety of affiliated services and Web sites. Microsoft's free Hotmail e-mail service and a number of partner sites support .Net Passport.
The vulnerability is in code used to help users who have forgotten their account password.
Microsoft has implemented a Secret Question feature to validate the identity of a user who needs to reset an account password. But according to the security list discussion, attackers can manipulate this feature on .Net Passport accounts that were set up before Microsoft implemented the Secret Question function. The flaw was described in a message posted by Victor Manuel Alvarez Castro, who identifies himself as a security consultant.
News source: PCWorld