Microsoft to investigate Passport security 'flaw'

Microsoft is today investigating a potential flaw in its Passport authentication engine which could cast a shadow over the software giant's .NET strategy.

Microsoft's move follows an email received by silicon.com from reader Mark Hollingworth, whose firm Team Up Workforce is a user of Microsoft's e-open.microsoft.com licensing programme.

This programme allows users to control their licences over the web. Users are authenticated via the Passport engine.

Last week, IT manager Hollingworth was surprised to find his account also gave him access to the account details of another Microsoft licence holder, a Brazilian company called Panambra Industrial.

He is now able to view the authorisation numbers, licence agreements and name and address of the other firm. His attempts to contact Microsoft to have the situation rectified have so far proved fruitless - both Microsoft and Hollingworth's reseller, London-based Simply Computers, have failed to return his calls.

A Microsoft spokeswoman admitted it is looking into a customer inquiry relating to an alleged security breach, and said it would be contacting the customer in due course. She refused to offer any further comment other than to say: "As far as we know so far, the problem here has no direct relation to Passport".

Microsoft refused to reassure other Passport users by saying whether the problem was a one-off or if it was a more general software fault. It did say it is "investigating the matter, which involves a third party".

Simply Computers flatly refused to make any comment at all, saying it was a confidential matter between itself and the customer.

Passport is one of the basic technologies on which Microsoft is basing its .NET vision of linked web services.

Currently used to identify Hotmail users, this technology will also provide the authentication and security behind the services, theoretically giving a single point of access to a user's entire online portfolio.

If the glitch discovered by Hollingworth proves to be more than a one-off, it will draw a question mark over the security of Passport, which would be very damaging to Microsoft's multi-billion dollar .NET initiative.

Mat Hanrahan, analyst at Bloor Research, said: "When you're talking about a single sign-on point for a whole range of services, it has got to be absolutely watertight and has got to be seen to be watertight. If Passport isn't secure, this single sign-on could be an absolute boon for criminals."

Microsoft has been long criticised for poor software security. Bill Malik, VP and research area director for analyst house Gartner Group, wasn't surprised at the suggestions of a flaw. He said: "Microsoft software is deeply flawed in terms of the shallowness of its approach to information security. I can see many potential customers viewing their .NET vision as presenting an intolerable level of risk."