LetsWindows10 Posted October 7, 2015 Posted October 7, 2015 Thanks to the blog post linked below where it was discovered that your unique ID was being passed to MS Cloud services in plain text, I've found the same unique ID located in the Windows 10 registry. http://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html The same ID passed in plain text to the cloud is located in the Windows 10 registry under:HKLM\Software\Microsoft\Windows\CurrentVersion\Census\MSACIDs The above screenshot is from Window 10 build 10240. I'll be updating OS build to confirm it persists across builds. It was found while logged into Windows 10 with my Microsoft account - not a local account, so YMMV. Originally I used the info in that blog post to verify his results under Windows 7 and IE11. I logged into my Microsoft account and found the CID with Developer Tools (F12) on the Network tab. (The CID is "yellowed-out" in all screenshots) Notice at the top right of the screenshot how Microsoft has conveniently recorded information about every PC I've used to test Windows 10. Stopped capturing network data, closed & reopened IE, started recording network data again and logged into OneDrive to find the same CID. This information persists across hardware, it is not an "anonymous identifier." It is directly linked to your MS account, in plain text, for the majority of Windows 10 users who do not use local accounts.I have Windows 10 and Windows 7 on separate physical hard drives and I physically swapped them out to test this. What does this mean to the average user? Probably not much yet, but I'm sure the blackhats are already on the case. Should we get CID tattoos now or later? One of us! One of us!
Tripredacus Posted October 7, 2015 Posted October 7, 2015 This information persists across hardware, it is not an "anonymous identifier." It is directly linked to your MS account The CID is tied to your MS account. It would make sense that if you use your MS account to log into Windows 10, then that ID is stored somewhere in the OS. See here: http://www.msfn.org/board/topic/174208-windows-10-deeper-impressions/#entry1109597
NoelC Posted October 12, 2015 Posted October 12, 2015 Logged in with a local account, the MSACIDs field in the registry is blank for me. Is this the "Microsoft Advertising Customer ID" we're talking about here? LetsWindows10, you're anticipating a new kind of identity theft? -Noel
Tripredacus Posted October 12, 2015 Posted October 12, 2015 Noel, the ID there is related to your MS account. If you log into Windows 10 using a MS account, the ID is apparently written into the registry in that location. Are you logged in as a local or MS account to yours?
maxXPsoft Posted October 12, 2015 Posted October 12, 2015 (edited) Oh heck no MS account. Not gonna add that here so mine blank alsoHave read that after the next upgrade it won't require MS account Edited October 12, 2015 by maxXPsoft
NoelC Posted October 12, 2015 Posted October 12, 2015 Have read that after the next upgrade it won't require MS account ??? As far as I can see, it doesn't require an MS account now. And no, I'm not logging in with an MS account (it's a local account, as I mentioned above). -Noel
maxXPsoft Posted October 13, 2015 Posted October 13, 2015 Have read that after the next upgrade it won't require MS account ??? As far as I can see, it doesn't require an MS account now. And no, I'm not logging in with an MS account (it's a local account, as I mentioned above). -Noel If I go to Store and try to install something I get this. I guess it changed allowing Work account, yeah right I not plugging that in eitherI tried one time with MS and it changed my user and all so I had to image back A workaround haven't tried yet http://lifehacker.com/install-windows-10-store-apps-without-switching-to-a-mi-1723075610
NoelC Posted October 13, 2015 Posted October 13, 2015 If I go to Store and try to install something (Said with a southern drawl...) "Well thar's your problem right there!" Way back when I had Apps installed, as I recall if you were careful there was a way to enter one's Microsoft account temporarily, for that one visit. But things have probably changed since then. You're saying they're going to loosen up on the requirement to have a Microsoft account to be able to visit the App Store and buy something? That seems almost impossible to imagine. -Noel
Tripredacus Posted October 13, 2015 Posted October 13, 2015 You're saying they're going to loosen up on the requirement to have a Microsoft account to be able to visit the App Store and buy something? That seems almost impossible to imagine. For all the Windows 10 Upgrade (from Win7) testing I did, I was never asked to log in or create a Microsoft account. So the local account from Win7 was the default account then in Windows 10. Maybe it has to do with situations like that? 1
LetsWindows10 Posted October 14, 2015 Author Posted October 14, 2015 LetsWindows10, you're anticipating a new kind of identity theft? It seems careless and ripe for exploitation. In the MS profile, there's a section for Money & Gift Cards (see screenshot above) for Microsoft Stores and Apps. Wonder if it saves credit cards for "fast checkout" and how long it will take someone to compromise? A system is only as secure as its weakest link. Plain text is weak. There's a whole site dedicated to it http://plaintextoffenders.com From Krebs on Security regarding the Experian data leak (cleverly reported as a T-Mobile data leak in the media because no one needs to know it was actually the largest credit check firm in the world involved or they've never heard of Experian unless they've applied for a mortgage) The same source demonstrated how modifying just one or two numbers at the tail end of that link revealed requests for access to networked file shares from across a range of Experian’s business units. The requests included specific names of network shares, usernames, userIDs, and LanIDs, as well as email addresses, phone numbers of Experian personnel requesting and approving the changes. It's disconcerting at the least whenever a number is assigned to a human being. I'm well aware of unique keys in databases, and that's potentially all this is, but it should not by any means be plain text and accessible via web from any unauthenticated browser. I know someone who just searched for OneDrive screenshots and was able to pull up profile photos for the people who posted them. Most of this rant is wild speculation and...well, just a rant, but there are real-world examples of this practice being a Bad IdeaTM Leave a door open for long enough and you'll start to get uninvited guests. 1
NoelC Posted October 14, 2015 Posted October 14, 2015 Seems to me Microsoft was all Gung Ho on requiring everyone to have a Microsoft Account early in the pre-release process, then reality started to set in and they finally had to cave and provide local account support. It's a matter of taking Windows in a direction people just don't want to go in. Especially not the business folks, who pay for it all. They think they're leading the world, but they're really wandering randomly with the overly simplistic mindset of a child. -Noel
LetsWindows10 Posted October 14, 2015 Author Posted October 14, 2015 It appears they're catering to Joe Consumer by mimicking Apple in some regards and running around like a fox in a hen house, stealing all the data while you pay no attention to the man behind the curtain. Both companies' offerings are functioning as they have specified so the only things left to improve are fonts, menus and emojis for christsakes. Apple releases flat menus and new fonts in Yosemite -> Microsoft releases flat menus and new fonts in Windows 10Apple releases new emoji in iOS 9 -> Microsoft releases new emoji in Windows 10 I've listened to headline news on the net and on radio news/talk shows where grown men are excited about new SMILEY FACES as much as they are about cars/sports/new power tools?!!!? They're just smiley faces! Reported for Apple's release: "you’ll see a ton of new emoji on the keyboard including taco, unicorn, a stop hand, turkey, burrito and block of cheese." A block of cheese! Reported for Microsoft's release (Forbes no less!): "Microsoft has its mojo back. Under Satya Nadella the company is now radical, cool and determined to take risks. Apparently even with its emoji…While it may offend some, the middle finger emoji is at least racially diverse and it is included in five new Windows 10 emoji skin tone options." I'm saving my money so I can buy the next ticket off this planet. 1
NoelC Posted October 14, 2015 Posted October 14, 2015 You made my night, the way you wrote that. -Noel
maxXPsoft Posted October 14, 2015 Posted October 14, 2015 (edited) Well can't find where I read that so my bad, maybe wishfull thinking cause first few days on 10240 it only allowed MS account if you wanted to download from store. They now letting you use work or school. And all the puppies will follow so obediently The workaround does work. I tried with 2 app just to check it. I imaged back to having Store and app connector I think is required to use it alsoFor the average user trying to figure out how to sign out of store is not easy.You click your icon, then under account you click on the account again and the Sign out is there %$#@ Dam I get no cheese block on my samsung. may commit hairy my carey. But I would like to give MS their MF back nlm Edited October 14, 2015 by maxXPsoft 2
jaclaz Posted October 17, 2015 Posted October 17, 2015 (edited) I'm saving my money so I can buy the next ticket off this planet.The issue being of course that those tickets are only sold online through an app that you can only have through a "downloader app" from the Windows Store, accessible only once you have logged in with your Microsoft Online Account and that buying one will activate an interstellar tracking cookie on all your devices .... jaclaz Edited October 17, 2015 by jaclaz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now