Researcher finds that Outlook and OneDrive leak unique user account identifiers in clear text
Microsoft’s OneDrive and Outlook.com are leaking unique user identifiers in plain text. A developer who goes by the name of ramen-hero has said that both Outlook.com, OneDrive, and Microsoft’s account pages incorporate a unique user identifier known as CID in URLs. The CID is a 64-bit integer (usually formatted in unsigned hexadecimal form) associated with each Microsoft account and used in Microsoft APIs for user identification.
Ramen-hero has made a post on aptly named, Annoyed Microsoft User, detailing how Microsoft is leaking this CIDs in plain text to anyone who wants them.
What’s the problem with this? Well, it turns out that the CID can reveal quite a bit about the account owner. For example, if your account’s CID is 039827D56AE85E00 and Alice knows it, she could
- download your account picture (and do evil things with it);
- know your display name (and maybe real name) is “Johnny Fellows” on OneDrive.com (and cyberstalk you and your family); and
- know that you created this account on December 2, 2013 and that you still use it.
It used to be the case that OneDrive.com simply showed anyone’s profile picture and display name; now they have changed the user interface to make finding it out a little bit harder. (The old UI is still available, though.)
These are not the only pieces of information that can be revealed. In fact, the settings of some legacy apps are publicly accessible; for example, if you let the Calendar app display weather forecasts, Alice will be able to learn the location and temperature unit of your choice.
Microsoft leaking the CID in clear text can allow malicious actors to connect the company’s services to users, to grab a person’s account picture, view the display name attached to their account, and access information on when the account was created. On top of that, because the settings of some legacy apps such as Calendar are publicly accessible, the potential hacker can also also know the user’s location.
According to another developer, vbezhenar, the CID is visible to eavesdroppers even if no DNS lookup is made. The CID, as part of the host name, is sent in clear text during TLS handshake in a process known as Server Name Indication (SNI).
When you use an HTTPS proxy server, the host names are visible to anyone who can access the web traffic log. This may be the case, for example, at schools and libraries that use proxy servers to filter web content.
In addition, when you share a file on OneDrive, you get a URL that contains your CID. (Files on OneDrive are identified by a CID and a sequence number.) So before you share this URL with someone else, think twice.
And there’s more. If you have linked your Microsoft account with your Skype account, anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app.
Microsoft has not yet commented on the issue.