Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSN Cookie Data Crosses Domains

Posted by michael on from the cunning-little-buggers dept.

tzanger writes "My brother pointed me to this article on pc-help.org. It explains a clever GUID tagging mechanism employed my MSN which allows cookies to be set and tracked over multiple domains. Of particular interest is that this mechanism works even if cookies are disabled. Finally, IE users may find that their Trusted Sites settings are useless if msn.com is on the list of sites that they do trust." Not a new issue, but a very clear and technical explanation of what is going on behind the scenes. Nice investigative work.

14 comments

  1. This needs to be on the front page by DAldredge · · Score: 1

    This article really needs to be on the front page....

  2. Maybe not new... by tzanger · · Score: 1

    Not a new issue, [snip]

    This may be so but I haven't seen it covered here before and I do feel it's important to bring to light.

    Where did you hear from it before? (not a flame-starter, an honest question)

    ... an aside. I clicked "no score +1 bonus, and then continued to type here. Every time I hit space, the checkmark toggles. I'm not sure How I managed to keep the checkbox highlighed and then resume typing. Neat bug at any rate. :-)

    1. Re:Maybe not new... by CptnHarlock · · Score: 1

      If memory serves me right... About a year ago or maybe even more.. :) .. And it was here on slashdot. It's probably burried deep down in the Microsoft topic. Or maybe privacy. I'll run a check but don't hold your breath.. ;)
      --
      "No se rinde el gallo rojo, sólo cuando ya está muerto."

      --
      $HOME is where the .*shrc is
      -- silver_p
  3. msid.msn.com by 30F06950 · · Score: 1

    I wonder how much extra use the msid.msn.com server is getting tonight... it has certainly had a few hits from me that it wouldn't normally have.

  4. More on msid.msn.com by Tackhead · · Score: 5
    Go on, try it. Block msid.msn.com and cookies in Junkbuster, then try to visit msnbc.com.

    Your browser will get caught in a loop, reloading blank pages until eternity.

    Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

    Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net. Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

    This is why I've had msid.msn.com firewalled for the past 2-3 years. Nothing comes in, nothing goes out. Ever.

    I have no idea what Bill's doing with this data, but I sure as fuck don't like it.

    (And I concur with the poster that said this should be on the /. front page. Whatever's going on at msid.msn.com has been going on since the release of Windows 98, and it needs to be investigated by those with more clue than I.)

    1. Re:More on msid.msn.com by esonik · · Score: 1

      Your browser will get caught in a loop, reloading blank pages until eternity.

      So basically, MS implemented a DoS attack to itself ? I think I'll make it my default page.

  5. Nastiest is Last by rgmoore · · Score: 3

    The nastiest bit of the whole thing is saved for the very end of the article: the MS script is set up to do this cookie exchanging indiscriminately, not just for other MS sites. As the author put it:

    Since the MSN server returns the ID found in pre-existing cookies, anyone, anywhere can create links to his own pages which will deliver visiting users' MSN GUIDs to his own server.

    I don't know precisely how many of Microsoft's servers may behave this way, nor whether this practice is widespread on the Web. But to the degree that such identifiers might lead to personal information, this indiscriminate handing-out of GUIDs could have very undesirable consequences to users' privacy.

    That's a very, very serious security hole. I don't know how much data MS keeps, but I wouldn't be terribly surprised if it were possible to mine credit cards numbers this way. It's more proof of MS's lax attitude toward security.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  6. Junkbuster proxy. by mrsam · · Score: 1
    Junkbuster's proxy is having lots of fun with this one -- because it blocks BOTH cookies and referer: headers. Going to www.linkexchange.com results in a barf "document contains no data". Trying to load up www.msnbc.com results in an endless redirect loop between www.msnbc.com, and msid.msn.com, as they vainly try to tag me, somehow.

    This is funny to watch.

    ---

  7. There is no Privacy so whats the Diff??????? by pc.dr · · Score: 1

    Big Brother is Watching YOU. I Knew that they would figure out how to get around turning off cookies it was just a matter of time.My question is How do we Thwart them????????

    PS no FUD or Hot Grits Please

    --
    Privacy. Who has the time to keep it? Oh Well. death and taxes
    1. Re:There is no Privacy so whats the Diff??????? by tzanger · · Score: 1

      How do we Thart them?

      Well I've got an okay solution and a better solution:

      Okay solution: As mentioned already, just block msid.microsoft.com at the firewall. The bad news is that sites which rely on this break.

      Better solution: use ipchains to redirect port 80 requests to msid.microsoft.com to a local webserver which sets a bogus cookie and referrer.

    2. Re:There is no Privacy so whats the Diff??????? by CptnHarlock · · Score: 1

      Funny.. :) .. but won't work.
      --
      "No se rinde el gallo rojo, sólo cuando ya está muerto."

      --
      $HOME is where the .*shrc is
      -- silver_p
  8. getting around it by ChristTrekker · · Score: 1

    Getting around this problem is easy, I don't know how you missed it. Don't use Microsoft products. They can't keep doing this if they go out of business, now, can they?

    --

    Constitutionally Correct

  9. expedia and msnbc too! (using my own browser) by mrob · · Score: 1

    I have my own browser which makes it very easy to debug things like this. Not only does it never follow redirects and naver take cookies, but it makes it easy to examine the raw data returned by every HTTP transaction. I also use Linux Netscape 4.72, and have cookies enabled there all the time.

    I discovered that expedia and msnbc have common GUIDs in my Netscape cookies file, and furthermore the expedia site uses the same triple-redirection technique shown on the pc-help.org article. It routes through expedia.msnbc.com and then back to expedia.com after attaching the GUID to the URL.

    - Robert Munafo

    --
    Lawyers: The Other White Trash.
  10. MS decieves Mac Users! by higginsta · · Score: 1
    I am using MS Internet Explorer 5.0 for the Mac. I went into my cookie file and deleted all cookies related to microsoft. and set IE to decline all cookies. I then went to the MCNBC website and clicked on an article. Went back to my cookie file and found this:

    Server Name Status

    msn.com MC1 disabled

    msnbc.com MC1 disabled

    Yet when I chose to view the properties of the cookie files their status was listed as enabled! Yet another deceptive practice from Microsoft. Who would have thunk it!