Microsoft senior manager Jeff Jones said he believes no Passport accounts were stolen. Jones declined to say how many people were at risk but said the flaw affected only a small number of users who had created their accounts more than four years ago. As part of its repair efforts late Monday, Microsoft briefly prevented some Passport users from manually changing their passwords.
Passport, which offers consumers a convenient method for identifying themselves across different Web sites, also controls access for Windows users to the Hotmail e-mail service and instant-messaging accounts.
"To the best of our knowledge, no one exploited this," Jones said.
Microsoft said it learned about the vulnerability after a self-described security consultant published details to an Internet discussion list, a practice that has increasingly frustrated executives who prefer researchers to quietly work with software vendors to resolve such problems before announcing them publicly.
The consultant, who identified himself as Victor Manuel Alvarez Castro of Mexico, wrote that he tried unsuccessfully to contact Microsoft "several times" by e-mail.
It was the second admission by Microsoft of a serious vulnerability in Passport since last summer's settlement with the Federal Trade Commission, which had accused Microsoft of deceptive claims about Passport's security. In response, the company pledged to take reasonable safeguards to protect those accounts and submit to audits every two years for the next 20 years or risk fines up to $11,000 per violation.
In May, a Pakistani computer researcher determined that by typing a specific Web address that included the phrase "emailpwdreset," he could seize any Passport account. The FTC still has not determined what sanctions and fines, if any, to assess against Microsoft in that incident.
By Ted Bridis