Tuesday, October 6, 2015

Skype, stop sending (hashed) usernames in clear text

I suspect that experienced users may find this article to be less newsworthy, but I’ll point out the fact anyway: Skype for Desktop has a long history of sending persistent user identifiers in clear text.  The situation may be less worrying than the case of Microsoft accounts and CIDs, but it should be stopped nevertheless.


As shown in the screenshot above, when checking for updates at startup—using plain HTTP—Skype for Desktop includes a parameter called “uhash” whose value is, presumably, a hashed username.  Indeed, its value seems to be account-specific and invariant under changes of session, password, client version, and operating system version.

There doesn’t seem to be a publicly accessible mechanism that maps “uhash” values to Skype usernames.  (Although we don’t know if there is one available to government agencies.)  Nor do we know how to calculate a “uhash” value from a Skype username.  (And we don’t know who knows it, either, except for Skype themselves.)  (The “uhash” values that I saw have 33 (not 32) hexadecimal characters.)  We do know, however, that Skype for Desktop has been sending “uhash” for a long time: in fact, it was mentioned in a 2005 Masters degree thesis (although the “uhash” there had just 32 characters and the Skype version was 1.0.0.20).

It seems unreasonable to include a user identifier when checking for software updates, in clear text.  In fact, “uhash” only adds to the pile of “strong selectors” for resourceful government agencies to track users.

Skype should stop sending user identifiers, even if pseudonymous, in clear text.

Sunday, October 4, 2015

Microsoft, stop sending user identifiers in clear text

When you use a free Microsoft web app such as Outlook.com or OneDrive, or visit your Microsoft account page, an HTTPS request is made to display your profile picture, which seems innocent, until you notice something fishy: a numerical identifier of your account is included in the host name part of the URL, making it visible to anyone who can monitor your DNS traffic (when it’s not cached) or anyone who have access to your web traffic log (e.g., when you use a proxy server).


The identifier in question is known as the CID, which is a 64-bit integer (usually formatted in unsigned hexadecimal form) persistently associated with each Microsoft account, and is widely used in Microsoft APIs to identify users.

So, what’s the problem?


What’s the problem with this?  Well, it turns out that the CID can reveal quite a bit about the account owner.  For example, if your account’s CID is 039827D56AE85E00 and Alice knows it, she could
It used to be the case that OneDrive.com simply showed anyone’s profile picture and display name; now they have changed the user interface to make finding it out a little bit harder.  (The old UI is still available, though.)

These are not the only pieces of information that can be revealed.  In fact, the settings of some legacy apps are publicly accessible; for example, if you let the Calendar app display weather forecasts, Alice will be able to learn the location and temperature unit of your choice.


(The CID 039827D56AE85E00 mentioned above belongs to a demo account, and was published in a Microsoft blog post, so it’s harmless to post it here.)

CID disclosures


As we said in the beginning, when you use one of the free web apps from Microsoft and the host name containing your CID is resolved, the request is visible to anyone who can monitor your DNS traffic.  This includes everyone from your local coffee shop packet sniffers, to your ISP, and eventually to the men and women defending national security at the Internet backbones.  If you use Tor, your CID is visible to the exit node.

Update — As suggested by vbezhenar, the CID is visible to eavesdroppers even if no DNS lookup is made. The CID, as part of the host name, is sent in clear text during TLS handshake in a process known as Server Name Indication (SNI).

When you use an HTTPS proxy server, the host names are visible to anyone who can access the web traffic log.  This may be the case, for example, at schools and libraries that use proxy servers to filter web content.

In addition, when you share a file on OneDrive, you get a URL that contains your CID.  (Files on OneDrive are identified by a CID and a sequence number.)  So before you share this URL with someone else, think twice.

And there’s more.  If you have linked your Microsoft account with your Skype account, anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app.


It should be mentioned, though, that Microsoft has started to migrate Outlook.com mailboxes to Exchange Online, so the current People app will be phased out eventually.  (That said, the current “Outlook Mail (Preview)” on Exchange Online still loads your account picture from the same URL.)

What to do


Let’s wrap it up.  There are really two problems: one being that CIDs get unnecessarily disclosed—in host names, sharing links, etc.—and the other that there are important, potentially personally identifying information about a Microsoft account that can be revealed simply by knowing its CID.

For most users, the simplest workaround is to modify the hosts file to avoid DNS lookups to cid-___.users.storage.live.com (where the blank stands for your CID (in 16-character 0-padded hexadecimal form)).  This won’t help, of course, if you must use a proxy server or make your DNS lookups remotely (as with Tor).  Also, this isn’t an option on most smartphones.

Perhaps I’m being a bit paranoid; perhaps not.  If you are concerned, you should tell your thoughts to Microsoft.  Fixing the problems should be easy on Microsoft’s part.