I had my doubts about Microsoft’s Passport, but this really sums it up.
The flaw allowed a single Web address–or URL–to be used to request a password reset from the Passport servers. The URL contains the e-mail address of the account to be changed and the address where the attacker would like to have the reset message sent. By entering the single line into a Web browser an attacker can cause the Passport servers to return a link that allows an account’s password to be reset. By following the link returned in the message, the attacker can change the password for the victim’s account.
So, in about 15 seconds, knowing your user account name, I could change your password and, if you saved additional personal details, claim your credit card and other info. Plus, since Passport’s been integrated in to such sites as Citicard and Verizon Wireless’s Mobile Web service, access to these sites would be compromised as well.
Don’t that just make you feel all warm and fuzzy?