Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Leaks Unique User Account Identifiers in Clear Text


  • This topic is locked This topic is locked
2 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,258 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:04 PM

Posted 07 October 2015 - 03:37 PM

 

Researcher finds that Outlook and OneDrive leak unique user account identifiers in clear text

Microsoft’s OneDrive and Outlook.com are leaking unique user identifiers in plain text. A developer who goes by the name of  ramen-hero has said that both Outlook.com, OneDrive, and Microsoft’s account pages incorporate a unique user identifier known as CID in URLs.  The CID is a 64-bit integer (usually formatted in unsigned hexadecimal form)  associated with each Microsoft account and used in Microsoft APIs for user identification.

Ramen-hero has made a post on aptly named, Annoyed Microsoft User, detailing how Microsoft is leaking this CIDs in plain text to anyone who wants them.

What’s the problem with this?  Well, it turns out that the CID can reveal quite a bit about the account owner.  For example, if your account’s CID is 039827D56AE85E00 and Alice knows it, she could

 

Microsoft Leaks Unique User Account Identifiers in Clear Text

 

Good one MS, Way to keep our details secure.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:04 PM

Posted 07 October 2015 - 04:23 PM

Seems a bit reactionist IMHO. Not much to see or do with that.

 

If one could impersonate you and access your secure data with the CID this would be major, or if the whole operating system gathered all of your personal, network and system information and sent it back to Microsoft whether you liked it or not... that'd be major too.



#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:04 AM

Posted 07 October 2015 - 04:36 PM

Subject was already posted and has been moved. http://www.bleepingcomputer.com/forums/t/592648/microsoft-sites-expose-visitors-profile-info-in-plain-text/

Please continue discussion in the original topic.

This one is now closed.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users