A serious security flaw in Microsoft"s Passport service put users" accounts, including their personal information and credit card numbers, at risk of being hijacked.
The flaw, in Passport"s password recovery mechanism, allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure.
The simplicity of the attack and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical.
"It is hardly an exploit or even vulnerability; it"s just a flaw, in their Web-application logic," the person who posted the vulnerability said in an e-mail to CNET News.com. "The flaw has been there since long time, I just discovered it recently," wrote the individual who identified himself as Muhammad Faisal Rauf Danka. He claimed to be a Pakistani security consultant and MBA candidate.