Researcher claims Microsoft CID exposed in plain text

Pierluigi Paganini October 08, 2015

Microsoft web applications, such as Outlook or OneDrive and account pages, expose visitors’ Microsoft Identifier (CID) in plain text.

A Chinese developer, which uses the pseudonym of ramen-hero, discovered that Outlook.com, OneDrive, and Microsoft’s account pages use a unique user identifier known, also known as CID, in their web applications.

The Microsoft CID is a 64-bit integer used by the company as a unique identifier for its accounts and it is used in Microsoft APIs for the identification of the users.

The Microsoft CID is used as part of the hostname for the location of user data for Outlook.com, Microsoft accounts, and other Live services, it is a portion of the URL that can be viewed by anyone who can monitor/sniff the Internet traffic of a user.

The CID is included in all the URLs generated for any access to Outlook.com, OneDrive, or the Microsoft account page, even if the request is made over an HTTPS connection.

“When you use a free Microsoft web app such as Outlook.com or OneDrive, or visit your Microsoft account page, an HTTPS request is made to display your profile picture, which seems innocent, until you notice something fishy: a numerical identifier of your account is included in the host name part of the URL, making it visible to anyone who can monitor your DNS traffic (when it’s not cached) or anyone who have access to your web traffic log (e.g., when you use a proxy server).” states the researcher in a blog post.

Micorsoft CID disclosure

What does it mean for end users?

The leakage of the Microsoft CID in clear text could allow threat actors to connect the company’s services to retrieve information on the targeted users. The disclosure of the Microsoft CID makes each request visible to anyone that could monitor the DNS traffic. This means that an attacker that share the target’s segment of the network or the ISP can access your requests, the issue is present even if the Microsoft users is browsing through the Tor network, in this case, the CID results visible at the exit node.

“As we said in the beginning, when you use one of the free web apps from Microsoft and the host name containing your CID is resolved, the request is visible to anyone who can monitor your DNS traffic.  This includes everyone from your local coffee shop packet sniffers, to your ISP, and eventually to the men and women defending national security at the Internet backbones.  If you use Tor, your CID is visible to the exit node.” continues ramen-hero.

The Microsoft CID is visible to attackers even if no DNS lookup is made because it is part of the host name and is sent in clear text during TLS handshake (Server Name Indication (SNI)).
Access your CID could very easily, for example, it is enough to share the URL related to a file on OneDrive. This URL generated to share the content contains your CID.

Bad news for Microsoft users who linked their accounts with their Skype accounts, threat actors knowing the main alias of a Microsoft account can also obtain the CID using the People app.

The CID can be used to retrieve the user’s profile image, and it can also be used via the OneDrive site to retrieve a user’s account display name. The Microsoft CID could be used to access metadata from Microsoft’s Live service, it is possible to access also information about when the account was created or last accessed time. An attacker can also use metadata to retrieve information associated with the Live Calendar application.

Microsoft has already started the migration of Outlook.com mailboxes to Exchange Online, which uses a different protocol.

“The original web protocols were designed to allow applications to programmatically access public profile items. Non-public items are protected by user controlled authorization. Our recent protocols are more restrictive and over time we will phase out the older versions,” Microsoft’s spokesperson said SecurityWeek.com.

“For most users, the simplest workaround is to modify the hosts file to avoid DNS lookups to cid-___.users.storage.live.com (where the blank stands for your CID (in 16-character 0-padded hexadecimal form)).  This won’t help, of course, if you must use a proxy server or make your DNS lookups remotely (as with Tor). ” suggests ramen-hero to mitigate the issue.

Pierluigi Paganini

(Security Affairs – Microsoft CID,  privacy)



you might also like

leave a comment