Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling.  When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page.  Here is what the requests look like.

POST /urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-Lock=XdXWSI8WgDg%3d HTTP/1.1

Accept: text/*

SOAPAction: "http://Microsoft.STS.STSWeb/Lookup"

Content-Type: text/xml; charset=utf-8

User-Agent: VCSoapClient

Host: urs.microsoft.com

Content-Length: 648

Cache-Control: no-cache

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><Lookup xmlns="http://Microsoft.STS.STSWeb/"><r soapenc:arrayType="xsd:string[1]"><string>http://zero.webappsecurity.com/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><v soapenc:arrayType="xsd:string[5]"><string>7.0.6004.6</string><string>7.00.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>

You can see in the soap envelope the full URL of the site I am browsing.  Upon further investigation, this is how IE7 implements their real time Phishing notification.  In the settings of IE you will find the option to disable or enable this under “Phishing Filter”.  This raises a some serious questions, here are just a few that I can think of:

1)      I don’t recall being notified that this was occurring.  Now I am the first to admit I don’t read every installation page, disclaimer or EULA but I would think this would be a BIG screen explaining the setting and the consequences of the option.

2)      Everyone knows you can trust MS with personal data, but this is a bit much.  The ability to track every single web page that is visited is needless to say powerful information.

3)      Why in the world does Microsoft feel it necessary to check INTERNAL ADDRESSES for phishing web sites?  Yes, this actually happens.  I browsed to a 172. address and a request with the full internal IP was sent to Microsoft.

4)      Post data and query data is not submitted, but what are the implications of websites that keep session state in the URL or user sensitive information (seen in URL rewriting).  This data being transferred to a site other than the one I am visiting, even though via SSL, still does not give one a warm fuzzy feeling.

5)      What are the other parameters in the request used for?  Client-Key?  It this key really tied to me?  If so, is it really necessary for MS to know this to inform me of a phishing site?

Feel free to comment on other implications that you can think of.