MSN Cookie Data Crosses Domains

tzanger writes "My brother pointed me to this article on pc-help.org. It explains a clever GUID tagging mechanism employed my MSN which allows cookies to be set and tracked over multiple domains. Of particular interest is that this mechanism works even if cookies are disabled. Finally, IE users may find that their Trusted Sites settings are useless if msn.com is on the list of sites that they do trust." Not a new issue, but a very clear and technical explanation of what is going on behind the scenes. Nice investigative work.

More on msid.msn.com

[Tackhead]

Go on, try it. Block msid.msn.com and cookies in Junkbuster, then try to visit msnbc.com.

Your browser will get caught in a loop, reloading blank pages until eternity.

Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net. Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

This is why I've had msid.msn.com firewalled for the past 2-3 years. Nothing comes in, nothing goes out. Ever.

I have no idea what Bill's doing with this data, but I sure as fuck don't like it.

(And I concur with the poster that said this should be on the /. front page. Whatever's going on at msid.msn.com has been going on since the release of Windows 98, and it needs to be investigated by those with more clue than I.)

Nastiest is Last

[rgmoore]

The nastiest bit of the whole thing is saved for the very end of the article: the MS script is set up to do this cookie exchanging indiscriminately, not just for other MS sites. As the author put it:

Since the MSN server returns the ID found in pre-existing cookies, anyone, anywhere can create links to his own pages which will deliver visiting users' MSN GUIDs to his own server.

I don't know precisely how many of Microsoft's servers may behave this way, nor whether this practice is widespread on the Web. But to the degree that such identifiers might lead to personal information, this indiscriminate handing-out of GUIDs could have very undesirable consequences to users' privacy.

That's a very, very serious security hole. I don't know how much data MS keeps, but I wouldn't be terribly surprised if it were possible to mine credit cards numbers this way. It's more proof of MS's lax attitude toward security.