Microsoft users who use the company’s web services like OneDrive, Outlook and Microsoft account page are now at a risk of exposing their profile info to hackers. And if they think that they are using secure HTTP protocol to protect their privacy it’s just an illusion. This includes those using TOR(onion) browser for their browsing activities.
A unique identifier called CID is exposed while you send a request to a domain name service lookup. During this process the profile data gets leaked from the storage server as a part of initiation of an encrypted connection. As a result, hackers could use this data exposure when the users connect to services from both computers and mobile devices.
This whole profile data leak out when users connect to a Microsoft web service was first revealed by a hacker turned blogger in Beijing. Packet captures of connections to Outlook.com, the Windows account page, and OneDrive.com revealed DNS lookup requests for a host with the format cid-[user’s CID here].users.storage.live.com.
The CID is also embedded in the Server Name Indication (SNI) extension data exchanged during the Transport Layer Security “handshake” that secures the browsing session to the services.
What’s more..? The same CID can be used to retrieve the user’s profile image, and it can also be used via the OneDrive site to retrieve a user’s account display name.
Thus, by having an access to metadata from Microsoft’s Live Service with CID, a hacker could easily retrieve info about when the account was last accessed and when it was created. The same metadata leak out can also expose the user location, if carefully analyzed and can make a hacker keep a track of the user on a consistent note ( like how NSA tracks all web services users in US).
While using TOR, the user identification can be concealed to a certain extent i.e. the origin point can be isolated. But CID data would be exposed once traffic left a TOR exit node.
When our sources passed on this info to Microsoft and asked for a response, a spokesperson from Microsoft reacted saying the company is aware of the issue and is preparing a response.
So, more details will be updated soon!