Your Microsoft Account identifier is stored in plain text, exposing you online

Discussion in 'All other topics' started by ireland, Oct 6, 2015.

Thread Status:
Not open for further replies.
  1. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,451
    Likes Received:
    15
    Trophy Points:
    68
    Your Microsoft Account identifier is stored in plain text, exposing you online

    Secure HTTP is all the rage these days, with users expecting a certain level of privacy and security when it is used to access services online, however if you think that's enough to protect your privacy when checking webmail, think again. It has been revealed that when users connect to their Microsoft user account page, Outlook.com, or OneDrive.com even when using HTTPS, the connection leaks a unique identifier that can be used to retrieve the name and profile photo in plaintext.

    The vulnerability was first uncovered by a blogger based in Beijing and then tested by Ars Technica who confirmed that;

    "Packet captures of connections to Outlook.com, the Windows account page, and OneDrive.com revealed DNS lookup requests for a host with the format cid-[user's CID here].users.storage.live.com. "

    The test also revealed that "The CID is also embedded in the Server Name Indication (SNI) extension data exchanged during the Transport Layer Security "handshake" that secures the session to the services, as Ars confirmed in an inspection of the packets."

    READ MORE
    http://www.neowin.net/news/your-mic...r-is-stored-in-plain-text-exposing-you-online
     
Thread Status:
Not open for further replies.

Share This Page