A gaping security flaw in Microsoft's Passport identification system left the accounts of over 200 million subscribers open to hackers for seven months, according to news reports Friday.
The flaw was exposed by a Pakistani researcher whose own account was hijacked. He then took just a few minutes to discover that by typing in a certain Microsoft web address together with command he could access and change the information on any Passport account.
A passport account contains extensive personal identification information and credit card numbers. It was designed as a package which was to ease purchasing things online.
Microsoft Thursday admitted the flaw and said it had fixed it by limiting access to the web address to computers in its own network.
The company said that it had frozen all accounts that may have been tampered with but said that there was no evidence that any accounts had actually been seized.
The disclosure was highly embarrassing to the software giant which last year launched a "Trustworthy Computing Initiative" aimed at reducing the large amount of software bugs and security flaws that traditionally plague their programs.
Microsoft also faces the prospect of a hefty fine from the Federal Trade Commission.
Under an agreement reached with the FTC in mid-2002, Microsoft said it would take reasonable steps to protect Passport accounts, pledged to stop overselling the security of the sign-in system and agreed to pay if it failed in its duty.
Microsoft potentially faces an enormous fine if the full fee of 11,000 dollars per security lapse is applied by the FTC.
Microsoft touts its Passport identification system as a single, convenient method for people to identify themselves on the Internet, and hopes it will become the main tool people use for purchases online of movies, music, travel and banking services.
Closely tied to Microsoft's flagship Windows XP software, the company virtually forces uses of Hotmail, and other Microsoft services to register a Passport identity in which subscribers type in addresses, phone numbers, email accounts and credit card information.
The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase "emailpwdreset," he could seize any Passport account. He said he sent 10 e-mails to Microsoft explaining his findings but never received a response.