Sunday, October 4, 2015

Microsoft, stop sending user identifiers in clear text

When you use a free Microsoft web app such as Outlook.com or OneDrive, or visit your Microsoft account page, an HTTPS request is made to display your profile picture, which seems innocent, until you notice something fishy: a numerical identifier of your account is included in the host name part of the URL, making it visible to anyone who can monitor your DNS traffic (when it’s not cached) or anyone who have access to your web traffic log (e.g., when you use a proxy server).


The identifier in question is known as the CID, which is a 64-bit integer (usually formatted in unsigned hexadecimal form) persistently associated with each Microsoft account, and is widely used in Microsoft APIs to identify users.

So, what’s the problem?


What’s the problem with this?  Well, it turns out that the CID can reveal quite a bit about the account owner.  For example, if your account’s CID is 039827D56AE85E00 and Alice knows it, she could
It used to be the case that OneDrive.com simply showed anyone’s profile picture and display name; now they have changed the user interface to make finding it out a little bit harder.  (The old UI is still available, though.)

These are not the only pieces of information that can be revealed.  In fact, the settings of some legacy apps are publicly accessible; for example, if you let the Calendar app display weather forecasts, Alice will be able to learn the location and temperature unit of your choice.


(The CID 039827D56AE85E00 mentioned above belongs to a demo account, and was published in a Microsoft blog post, so it’s harmless to post it here.)

CID disclosures


As we said in the beginning, when you use one of the free web apps from Microsoft and the host name containing your CID is resolved, the request is visible to anyone who can monitor your DNS traffic.  This includes everyone from your local coffee shop packet sniffers, to your ISP, and eventually to the men and women defending national security at the Internet backbones.  If you use Tor, your CID is visible to the exit node.

Update — As suggested by vbezhenar, the CID is visible to eavesdroppers even if no DNS lookup is made. The CID, as part of the host name, is sent in clear text during TLS handshake in a process known as Server Name Indication (SNI).

When you use an HTTPS proxy server, the host names are visible to anyone who can access the web traffic log.  This may be the case, for example, at schools and libraries that use proxy servers to filter web content.

In addition, when you share a file on OneDrive, you get a URL that contains your CID.  (Files on OneDrive are identified by a CID and a sequence number.)  So before you share this URL with someone else, think twice.

And there’s more.  If you have linked your Microsoft account with your Skype account, anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app.


It should be mentioned, though, that Microsoft has started to migrate Outlook.com mailboxes to Exchange Online, so the current People app will be phased out eventually.  (That said, the current “Outlook Mail (Preview)” on Exchange Online still loads your account picture from the same URL.)

What to do


Let’s wrap it up.  There are really two problems: one being that CIDs get unnecessarily disclosed—in host names, sharing links, etc.—and the other that there are important, potentially personally identifying information about a Microsoft account that can be revealed simply by knowing its CID.

For most users, the simplest workaround is to modify the hosts file to avoid DNS lookups to cid-___.users.storage.live.com (where the blank stands for your CID (in 16-character 0-padded hexadecimal form)).  This won’t help, of course, if you must use a proxy server or make your DNS lookups remotely (as with Tor).  Also, this isn’t an option on most smartphones.

Perhaps I’m being a bit paranoid; perhaps not.  If you are concerned, you should tell your thoughts to Microsoft.  Fixing the problems should be easy on Microsoft’s part.

5 comments:

  1. Normally dont believe the firebug it always shows unencrypted traffic,is the result same at wireshark?

    ReplyDelete
    Replies
    1. DNS traffic is not encrypted; I didn’t run a packet sniffer.

      Delete
  2. I checked with Wireshark. It's in a DNS query.

    ReplyDelete
  3. And I also did find it in plaintext in the SNI extension.

    ReplyDelete
    Replies
    1. Thanks for your report on Arstechnica, and for reaching out to Microsoft for all of us.

      Delete