How do these people manage to even tie their own shoelaces? Major Microsoft security flaw exposed.
“The flaw, in Passport’s password recovery mechanism, allowed an attacker to change the password on any account to which the user name is known…It is hardly an exploit or even vulnerability; it’s just a flaw in their web-application logic.”
I also note that:
“Microsoft moved quickly to prevent online vandals from exploiting the issue. The advisory was posted just before 20:00(PDT), and by 23:30(PDT), the software giant had essentially turned off the vulnerable feature. “We have shut down all ability to reset passwords,” said Sean Sundwall, spokesman for the company.”
Three and a half hours to remove a page? IMHO the quickest fix would have been to remove the ‘page’ to which this exploit submitted and live with a 404. It should have taken about 5 minutes to confirm the problem, 5 minutes to remove it, 5 minutes to test and maybe 15 minutes to deploy to live.