Security fail: Microsoft is transmitting Outlook.com and OneDrive user IDs in clear text
Microsoft is always going on about cybersecurity but a blogger has spotted that the computer giant is exposing the ID numbers of all users who access its online services such as Outlook.com and OneDrive.
Annoyed Microsoft User, a blogger based in Beijing, has spotted that although all Microsoft sites use secure HTTP connections, when a user tries to log in to their account, Microsoft transmits a unique 16-character identifier known as a CID in plain text in the host name of the URL, as part of its DNS lookup request when seeking to connect your computer to Microsoft's server.
This is a big deal because the identifying CID is visible to anyone who can monitor your DNS web traffic or anyone who is able to access your web traffic log, so this could mean not just hackers but also anyone who has administrator privileges on your network, at the workplace, library or school.
If anyone gets access to your CID number, they can then access metadata on the Live Service and use it to download your account picture, to find out your real name and when you created your account, and other identifying information, such as your location, if you allow the Live Calendar app to display weather forecasts.
Your CID is visible when you share a file on OneDrive
Whenever you share a file on OneDrive, users are given a URL that includes a sequence number and their CID, so essentially, if you share this URL with someone, you are giving them a way to spy on you.
Also, if you have linked your Microsoft account with your Skype account (now known as the Live Service), then anyone who knows the name you use on your Microsoft account can use the People app to find out your CID, which would be useful if someone was trying to figure out your identity by matching it to web traffic sent over an IP address.
Perhaps you might not be feeling that concerned if you typically use an anonymising network such as Tor or a virtual private network (VPN) to disguise where your web traffic comes from. Unfortunately, as soon as your web traffic leaves a Tor exit note, people can still see the CID in the URL.
What do we do for now?
The blogger's findings were also independently verified by tech news site Ars Technica, which found the CID visible in packet captures of connections to Outlook.com, OneDrive.com and the Windows account page.
So what can you do about this? At the moment, the only way to stop your CID from being revealed is not to share URLs from One Drive and to modify the host file to avoid any DNS look ups to the following URL:
cid-[your CID number here].users.storage.live.com
However, modifying the host file is a very techy solution that you should not really be having to do, and unfortunately, it does not work if you are using a proxy server, an anonymising network or a mobile device.
"The original web protocols were designed to allow applications to programmatically access public profile items. Non-public items are protected by user controlled authorisation. Our recent protocols are more restrictive and over time we will phase out the older versions," a Microsoft spokesperson told IBTimes UK.
UPDATE: This story has been updated to include Microsoft's response regarding the CID exposure issue.
© Copyright IBTimes 2024. All rights reserved.