Microsoft Visitors’ Profile Info Exposed in Plain Text

October 6, 2015 at 11:11 am By

Profile information for Microsoft users who also use Outlook or OneDrive services are being leaked via plain text in HTTPS connection, according to recent reports.

“A unique identifier called a CID is exposed because it’s sent as part of a Domain Name Service lookup for the address of the storage server containing profile data and as part of the initiation of an encrypted connection,” according to an Arstechnica report.

“As a result, it could be used to track users when they connect to services from both computers and mobile devices, possibly even identifying users as their requests leave the Tor anonymizing network.”

Arstechnica actually confirmed the leak after conducting their own test. The information was published over the weekend in a comprehensive report that also contains photo evidence.

“The CID can be used to retrieve the user’s profile image, and it can also be used via the OneDrive site to retrieve a user’s account display name,” according to the report.

“By accessing metadata from Microsoft’s Live service with the CID, someone could also retrieve information about when the account was last accessed and when it was created. The same metadata can expose information associated with the Live Calendar application, including user location.”

The article states that metadata can be a “‘strong identifier’ in National Security Agency parlance—to spot their network traffic as it flows across the Internet.”

There is a response in the works so Microsoft is being proactive in their approach of resolving the issue.

Read the full story.