Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Your Rights Online

MSN Cookie Data Crosses Domains 14

tzanger writes "My brother pointed me to this article on pc-help.org. It explains a clever GUID tagging mechanism employed my MSN which allows cookies to be set and tracked over multiple domains. Of particular interest is that this mechanism works even if cookies are disabled. Finally, IE users may find that their Trusted Sites settings are useless if msn.com is on the list of sites that they do trust." Not a new issue, but a very clear and technical explanation of what is going on behind the scenes. Nice investigative work.
This discussion has been archived. No new comments can be posted.

MSN Cookie Data Crosses Domains

Comments Filter:
  • This article really needs to be on the front page....
  • Not a new issue, [snip]

    This may be so but I haven't seen it covered here before and I do feel it's important to bring to light.

    Where did you hear from it before? (not a flame-starter, an honest question)

    ... an aside. I clicked "no score +1 bonus, and then continued to type here. Every time I hit space, the checkmark toggles. I'm not sure How I managed to keep the checkbox highlighed and then resume typing. Neat bug at any rate. :-)

  • I wonder how much extra use the msid.msn.com server is getting tonight... it has certainly had a few hits from me that it wouldn't normally have.
  • by Tackhead ( 54550 ) on Thursday November 02, 2000 @01:42PM (#654605)
    Go on, try it. Block msid.msn.com and cookies in Junkbuster, then try to visit msnbc.com.

    Your browser will get caught in a loop, reloading blank pages until eternity.

    Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

    Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net. Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

    This is why I've had msid.msn.com firewalled for the past 2-3 years. Nothing comes in, nothing goes out. Ever.

    I have no idea what Bill's doing with this data, but I sure as fuck don't like it.

    (And I concur with the poster that said this should be on the /. front page. Whatever's going on at msid.msn.com has been going on since the release of Windows 98, and it needs to be investigated by those with more clue than I.)

  • by rgmoore ( 133276 ) <glandauer@charter.net> on Thursday November 02, 2000 @01:43PM (#654606) Homepage

    The nastiest bit of the whole thing is saved for the very end of the article: the MS script is set up to do this cookie exchanging indiscriminately, not just for other MS sites. As the author put it:

    Since the MSN server returns the ID found in pre-existing cookies,
    anyone, anywhere can create links to his own pages which will deliver visiting users' MSN GUIDs to his own server.

    I don't know precisely how many of Microsoft's servers may behave this way, nor whether this practice is widespread on the Web. But to the degree that such identifiers might lead to personal information, this indiscriminate handing-out of GUIDs could have very undesirable consequences to users' privacy.

    That's a very, very serious security hole. I don't know how much data MS keeps, but I wouldn't be terribly surprised if it were possible to mine credit cards numbers this way. It's more proof of MS's lax attitude toward security.

  • Junkbuster's proxy is having lots of fun with this one -- because it blocks BOTH cookies and referer: headers. Going to www.linkexchange.com results in a barf "document contains no data". Trying to load up www.msnbc.com results in an endless redirect loop between www.msnbc.com, and msid.msn.com, as they vainly try to tag me, somehow.

    This is funny to watch.

    ---

  • If memory serves me right... About a year ago or maybe even more.. :) .. And it was here on slashdot. It's probably burried deep down in the Microsoft topic. Or maybe privacy. I'll run a check but don't hold your breath.. ;)
    --
    "No se rinde el gallo rojo, sólo cuando ya está muerto."
  • Big Brother is Watching YOU. I Knew that they would figure out how to get around turning off cookies it was just a matter of time.My question is How do we Thwart them????????

    PS no FUD or Hot Grits Please
  • How do we Thart them?

    Well I've got an okay solution and a better solution:

    Okay solution: As mentioned already, just block msid.microsoft.com at the firewall. The bad news is that sites which rely on this break.

    Better solution: use ipchains to redirect port 80 requests to msid.microsoft.com to a local webserver which sets a bogus cookie and referrer.

  • Getting around this problem is easy, I don't know how you missed it. Don't use Microsoft products. They can't keep doing this if they go out of business, now, can they?

  • I have my own browser which makes it very easy to debug things like this. Not only does it never follow redirects and naver take cookies, but it makes it easy to examine the raw data returned by every HTTP transaction. I also use Linux Netscape 4.72, and have cookies enabled there all the time.

    I discovered that expedia [expedia.com] and msnbc [msnbc.com] have common GUIDs in my Netscape cookies file, and furthermore the expedia site uses the same triple-redirection technique shown on the pc-help.org article [pc-help.org]. It routes through expedia.msnbc.com and then back to expedia.com after attaching the GUID to the URL.

    - Robert Munafo
  • Funny.. :) .. but won't work.
    --
    "No se rinde el gallo rojo, sólo cuando ya está muerto."
  • I am using MS Internet Explorer 5.0 for the Mac. I went into my cookie file and deleted all cookies related to microsoft. and set IE to decline all cookies. I then went to the MCNBC website and clicked on an article. Went back to my cookie file and found this:

    Server Name Status

    msn.com MC1 disabled

    msnbc.com MC1 disabled

    Yet when I chose to view the properties of the cookie files their status was listed as enabled! Yet another deceptive practice from Microsoft. Who would have thunk it!

  • Your browser will get caught in a loop, reloading blank pages until eternity.

    So basically, MS implemented a DoS attack to itself ? I think I'll make it my default page.

Genius is ten percent inspiration and fifty percent capital gains.

Working...