Microsoft sites expose visitors’ profile info in plain text

Discussion in 'privacy problems' started by Minimalist, Oct 5, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Great, another MITM vulnerability? Or is this is something even worse in terms of attack vectors?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes MITM and possible deanonymization for TOR and VPNs.
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Uh, would we call this a MITM vulnerability? It seems that a user's unique identifier will appear within a hostname. So it will be exposed to their DNS provider(s) and intermediaries would be able to capture it through ordinary sniffing (unless the user is encrypting DNS traffic). Furthermore, that hostname will also appear in the SNI field during TLS handshake. So a party between the user and the TLS server would be able to capture it through ordinary sniffing. For purposes of discussion, the sniffing could be done through a passive tap. The sniffing party doesn't actually have to relay, let alone manipulate, any traffic. It only needs to receive a copy.

    The talk about using a captured unique identifier to access some information you shouldn't be able to access doesn't suggest that a MITM is required either.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Feh, just typical misuse of GET :eek:

    But the lesson here is to compartmentalize email, website, etc accounts. Using a given account across multiple communication channels links them. So each communication channel should have its own set of accounts. Don't cross the streams!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.