Microsoft Leaks Some User Details in Clear Text

[Batu69]

CIDs attached to user accounts are leaked in some scenarios

A Chinese developer only known under the name of ramen-hero has pointed out the fact that Microsoft leaks the CID identifier when performing DNS queries in clear text, a special piece of information that attackers could use to identify traffic coming from a specific person/account.

The problem can be found in Outlook.com, OneDrive, and Microsoft's account page, where, despite the presence of an HTTPS connection, the CID associated with each account is incorporated in the URL.

As ramen-hero explains, an attacker or government agency monitoring DNS traffic can easily detect connections coming from one person based on their CID.

The problem is that this CID is unique to each user account and allows attackers to connect various Microsoft services to users who would like to keep their privacy for various reasons.

The CID can reveal a person's account picture, show the display name attached to each account, and the date the account was created.

Additionally, using some code trickery, the CID can also reveal the person's location via a legacy Calendar app version, which publicly displays the CID and weather forecasts. If the user receives weather information in their Calendar app, then the weather location identifier can be used reliably to detect the user's day-to-day location.

The CID is also leaked in Tor traffic

Expanding on ramen-hero's research, other users have also pointed out that, because the CID is part of the domain name in various communications, attackers don't necessarily need to monitor DNS traffic.

The CID is also leaked during TLS handshakes and even in Tor traffic if the exit node is monitored.

"If you have linked your Microsoft account with your Skype account," says ramen-hero, "anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app."

This opens the door to serious privacy problems since attackers and those pesky government agencies can now interconnect Web traffic to single individuals and monitor them.

What Microsoft should do in this situation is not add the CID in clear text inside URLs, and also protect Web and API queries against a user's CID revealing personal and identifiable information.

Source

[HX1]

I think that personally unless I was trying to stay anonymous online forever.. not exist.. or was involved in some type of wrong doing or criminal activity online I would not worry about anyway.. Plus technically if you are monitoring DNS requests from an IP that IP can be identified through the ISP at any cost in one way or another through records and timestamps... as well as incoming traffic...even after the fact.. Yes Tor may obscure that IP in that manner but truthfully there is a way in any instance to identify someone.

If you were looking for this scale of anonymity, then I would say that literally all of your services would be off grid and run through your own systems including your email. No Google, Yahoo, Microsoft or other connected services including updates.. and that for the most part there would be little to no activity online in anyway.. media services or otherwise.. even servers and downloads would have to take place between individuals who would communicate through their own network of services...connected by word of mouth or coded communications...in that.. IP's would have to be exchanged in the same way as they change, links updated constantly with the new IP.. BECAUSE even identity can be resolved through the accounts connected to domain ownership and originated IP.. and yet still you would be using someone else's landlines and sats.. even ISP's to do it all on.. so at what point is anything truly secured? You can do your best though... unplug... LOL.. oh and it can always be decrypted.. just a method of buying time... :P

Uniquely identifying print of some sort.. ( also would have been a better name for the topic ) many of those exist even in your hardware your using.. again tactics can be applied to obscure this as well.. Would be difficult to eradicated all of this truthfully.. and expensive in the end.