Secure HTTP is all the rage these days, with users expecting a certain level of privacy and security when it is used to access services online, however if you think that's enough to protect your privacy when checking webmail, think again. It has been revealed that when users connect to their Microsoft user account page, Outlook.com, or OneDrive.com even when using HTTPS, the connection leaks a unique identifier that can be used to retrieve the name and profile photo in plaintext.
The vulnerability was first uncovered by a blogger based in Beijing and then tested by Ars Technica who confirmed that;
"Packet captures of connections to Outlook.com, the Windows account page, and OneDrive.com revealed DNS lookup requests for a host with the format cid-[user's CID here].users.storage.live.com. "
The test also revealed that "The CID is also embedded in the Server Name Indication (SNI) extension data exchanged during the Transport Layer Security "handshake" that secures the session to the services, as Ars confirmed in an inspection of the packets."
In short, it means that the CID can be used to retrieve the user's profile image, and it can also be used via the OneDrive site to retrieve a user's account display name. By accessing metadata from Microsoft's Live service with the CID, someone could also retrieve information about when the account was last accessed and when it was created. The same metadata can expose information associated with the Live Calendar application, including user location.
This sort of vulnerability could allow someone to use the CID as a tracker, even when a user is connected with the TOR network. It could correlate someone's identity with other traffic from the same IP address, and while using an anonymizing network such as Tor would conceal the origin point of the traffic, CID data would be exposed once traffic left a Tor exit node.
A Microsoft spokesperson told Ars Technica that the company is aware of the issue and is preparing a response.
Source and bottom image: Ars Technica