When one connects to a Microsoft website (Outlook, onedrive, etc.) is done using an email address and a password ... What could be more normal? But a fault or negligence on the part of Microsoft, has been discovered: the unique connection identifier (CID) is stored in the clear, without suffering any encryption.
The flaw in question was discovered by ramen-hero, a Chinese blogger, who then reported the site Ars Technica. By connecting to a Microsoft site like Outlook.com or onedrive, the browser stores the CID of the user (a unique identifier). Problem: The CID is stored and transmitted as plaintext without being encrypted. A malicious person that analyzes a user traffic can thus edit the CID and misuse. If
it is impossible to find in this way the login name and password, it
remains possible for a hacker to recover certain information: the photo
of the user or his username on onedrive. From
there, it can eventually intersect this information with others, such
as the Microsoft Online Calendar (which is also a victim of the same
security issues), and follow the victim to trace. And
even if the user's connection is protected with a proxy or made
anonymous through the TOR network, it will be possible to continue to
track him using his CID Microsoft.
In theory, the flaw discovered here is nothing critical. However, it may be particularly perverse to trace users and do social engineering. A spokesperson from Redmond said the site Ars Technica that the problem was known and that Microsoft was working to find a fix.
No comments:
Post a Comment