Microsoft Corporation has fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address. The false e-mail address could then be used as an ID for Microsoft"s Live Messenger program, which could trick a user into thinking they are chatting with someone who is not whom they appear to be. Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw"s impact.
It"s unclear how long the flaw may have existed or how many accounts with deceptive instant messenger IDs could have been created. If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).
However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning. Microsoft should try to shut down the fake accounts as soon as possible but it could be difficult, especially if Microsoft was not aware of the flaw and can"t track the spoofed accounts. An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. Users could be tricked into thinking they are talking to someone they trust.