Microsoft has warned that a vulnerability in Windows Phone operating systems could allow hackers to access your passwords when connected to rogue Wi-Fi hotspots. In a new security advisory, Microsoft aknowledged a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.

Microsoft is not aware of active attacks or of customer impact, at least for now.

To exploit this issue, an attacker could gain information disclosure of a victim's domain credentials from the targeted device. An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

There is no security patch available for this, but Microsoft suggests that you enable the certificate verification process before executing the PEAP-MS-CHAPv2 protocol to connect to Wi-Fi hotspots.

The bulletin contains instructions for configuring your Windows Phone versions 7.8 or 8 to fix the security flaw.