Microsoft websites found to display user profile information in plaintext
Most of use Microsoft’s web services like Outlook.com, OneDrive and many more.
But did you know that services which we love and use everyday are actually putting the user profile at risk?
This is what a blogger has found and reported to the Redmond company. Before we move on, here’s a brief description about how websites use information to identify users.
When you use a web service, packets of data are transmitted to and fro, between your device and the server it connects to. Similarly, when you log on to a website, the username password combination, is authenticated through a virtual handshake, after which you are allowed to use the web service.
What happens in the background, is that the web service identifies the user in a secret code. This contains the user information. Normally this sort of information is encrypted by the servers to prevent hacking and identity theft.
But apparently, that isn’t the case with some of Microsoft’s most popular services.The Redmond company stores the user info in CIDs, (a hexadeximal string) which are reportedly displayed as plaintext information right in the place where you don’t want it to, on your browser’s address bar. The worst part is that these issues occur even in the HTTPS secure protocol, which the services use as default.
This means that anyone who monitors your network or your browser, can get access to some of your personal information, as noted below.
Many users have dismissed this as a non-security issue, or even a trivial one. But it is not the case. The problem with the security flaw is quite serious, in that it leaks some personal information, without the user being aware of it.
This information which the person can view using just the CID includes the following:
View and download your account picture
View your display name
View the information about, when you created the account on (month, date and year)
It’s the digital age, things could be worse. But the least that could happen to impact the user, is maybe some kind of an identity theft or misuse of the available information.
Arstechnica reports that it has tested for and verified the issue. There isn’t much the user can do to prevent this, if you really really want a workaround, you could try what has been suggested over at the report made by the person who discovered the issue. The only real fix however, is a server side fix to encrypt the CID, which obviously has to be done by the Redmond company.