| ▲ | gruez 7 hours ago |
| >Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d...": Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations. |
|
| ▲ | dspillett 6 hours ago | parent | next [-] |
| > Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? Not just an “outlook account” - any account in outlook, with default settings at least. I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?). > but this feels like it breaks all sorts of security/privacy expectations. It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants. The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”. |
|
| ▲ | butvacuum 7 hours ago | parent | prev | next [-] |
| Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication. It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections. |
| |
| ▲ | gruez 6 hours ago | parent [-] | | >Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication. Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy. | | |
| ▲ | butvacuum 4 hours ago | parent | next [-] | | yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash. | |
| ▲ | lazide 6 hours ago | parent | prev [-] | | Not necessarily, the server can say it only supports basic auth and…. | | |
| ▲ | gruez 4 hours ago | parent [-] | | I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords. | | |
| ▲ | lazide 4 hours ago | parent [-] | | Outlook appears to be | | |
| ▲ | p_ing 4 hours ago | parent [-] | | The 'https://' disagrees with your 'sending clear text passwords' statement. | | |
| ▲ | lazide 15 minutes ago | parent [-] | | It’s clear text to the receiving server, which is what we’re talking about, not one way hashed. |
|
|
|
|
|
|
|
| ▲ | brulx126 7 hours ago | parent | prev | next [-] |
| Not just that, the new outlook app makes Microsoft a complete man-in-the-middle for your email account. https://www.xda-developers.com/privacy-implications-new-micr... |
| |
| ▲ | kstrauser 2 hours ago | parent | next [-] | | I am so glad people are finally noticing and complaining about this. It's the same reason I won't use Spark or Superhuman. Those are neat services, but I can't abide storing the creds to perhaps the most security-sensitive service I use to a cloud provider. If they get hacked, then the attacker can access my email account, send phishing emails to my contacts, read and respond to password reset requests they make to other online services, etc. It would be disastrous. No, I'll keep my credentials stored and used locally, thanks. | |
| ▲ | donmcronald 4 hours ago | parent | prev | next [-] | | They store passwords and proxy everything at the same time they’re pushing OAuth, authenticators, passkeys, etc. for their own services. Everyone should have revolted when they bought Acompli and started doing this kind of thing. | |
| ▲ | amluto 5 hours ago | parent | prev | next [-] | | This seems like it would completely break any attempt to track access from unauthorized users or devices — any IT department using a backend other than Microsoft’s would need to pretend that all access from MS’s servers is safe. | |
| ▲ | koakuma-chan 6 hours ago | parent | prev [-] | | And? Do you think Gmail is end to end encrypted? | | |
| ▲ | gruez 6 hours ago | parent | next [-] | | My bank isn't end to end encrypted either, but that doesn't mean it's suddenly ok for Microsoft (or any other company) to suddenly start MITMing my online banking connections. | |
| ▲ | brulx126 6 hours ago | parent | prev | next [-] | | I am talking about the fact that the new default email client on Windows will hand over all your email credentials to Microsoft. This has nothing to do with Gmail. | | | |
| ▲ | delfinom 6 hours ago | parent | prev | next [-] | | I think the concern is that it copies the emails of your non-Microsoft accounts that you added to the Outlook app, over to Microsoft servers | |
| ▲ | AlexandrB 6 hours ago | parent | prev [-] | | Adding a bunch of middlemen that also see the data increases the risk. |
|
|
|
| ▲ | thedanbob 7 hours ago | parent | prev | next [-] |
| It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending. |
| |
| ▲ | RajT88 6 hours ago | parent | next [-] | | I bought a hardware password manager a while back and the bulk load tool sent all your creds to a cloud service. I have not used it since, and sent the manufacturer a nasty note. It was the Ethernom Beamu, company now defunct. | |
| ▲ | spiffyk 7 hours ago | parent | prev | next [-] | | I would expect such a feature to use end-to-end encryption for the data, so that only the user can see the credentials. It does, right? Right? | | |
| ▲ | gruez 7 hours ago | parent [-] | | >>multi-account sync and scheduled sending >I would expect such a feature to use end-to-end encryption for the data How would "end-to-end encryption" when such features by definition require the server to have access to the credentials to perform the required operations? If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit". | | |
| ▲ | treyd 6 hours ago | parent [-] | | > If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit". This is what Zoom claimed was e2ee for a little while before getting in trouble for it. |
|
| |
| ▲ | tom1337 7 hours ago | parent | prev [-] | | Do you mean Spark? I get why they need to do it that way but I also hate that they have to do it that way because it sucks for privacy. |
|
|
| ▲ | tga 7 hours ago | parent | prev | next [-] |
| Most likely, and nobody cares. Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there. The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail. |
|
| ▲ | Neil44 5 hours ago | parent | prev | next [-] |
| I think the curl -u switch just requires the password field to be filled, there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server. |
| |
| ▲ | gruez 4 hours ago | parent [-] | | >I think the curl -u switch just requires the password field to be filled Yeah you're right, if you don't specify the password (eg. -u user), it prompts you for it >there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server. But presumably the fact it's there at all suggests it's a required parameter? Maybe "password" is just a placeholder, but it's unclear based on the command line transcript alone. |
|
|
| ▲ | dec0dedab0de 7 hours ago | parent | prev | next [-] |
| I think outlook is pretty much a saas product these days. |
|
| ▲ | nhinck2 7 hours ago | parent | prev | next [-] |
| Yeah since the Windows 11 2023h2 update. |
|
| ▲ | 1718627440 5 hours ago | parent | prev [-] |
| Always has been. |
