Microsoft Account Is Sending User Identifiers In Clear Text Causing Potential Privacy Leaks


5, 2015

Microsoft Account

Whenever we use a Microsoft service on the web such as or OneDrive, Microsoft sends an HTTPS request with CID, a numerical ID which is used to uniquely identify users. This is visible to anyone who monitors your DNS traffic or who logs your browsing activity through a proxy.

What’s the issue here?

 CID can reveal quite a bit about the account owner. For example, if your account’s CID is 039827D56AE85E00 and if someone knows it, he/she could

  • Download your account picture;
  • Know your display name (and maybe real name)
  • Know that you created this account on December 2, 2013 and that you still use it.
  • If you let the Calendar app display weather forecasts, Alice will be able to learn the location and temperature unit of your choice.
  • In addition, when you share a file on OneDrive, you get a URL that contains your CID.
  • If you have linked your Microsoft account with your Skype account, anyone who knows your Microsoft account’s main alias can also obtain your CID using the People app.

Hopefully, Microsoft will fix this issue soon. Read more about it from the source link below.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}