Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.
> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?
Not just an “outlook account” - any account in outlook, with default settings at least.
I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).
> but this feels like it breaks all sorts of security/privacy expectations.
It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.
The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.
I am so glad people are finally noticing and complaining about this. It's the same reason I won't use Spark or Superhuman. Those are neat services, but I can't abide storing the creds to perhaps the most security-sensitive service I use to a cloud provider. If they get hacked, then the attacker can access my email account, send phishing emails to my contacts, read and respond to password reset requests they make to other online services, etc. It would be disastrous.
No, I'll keep my credentials stored and used locally, thanks.
They store passwords and proxy everything at the same time they’re pushing OAuth, authenticators, passkeys, etc. for their own services. Everyone should have revolted when they bought Acompli and started doing this kind of thing.
This seems like it would completely break any attempt to track access from unauthorized users or devices — any IT department using a backend other than Microsoft’s would need to pretend that all access from MS’s servers is safe.
In response to discovering this any competent IT department would immediately move to ban the use of any offending apps and blacklist the MS servers from the relevant backends. Also I guess rather than drop the connections ideally you would want to accept the initial request, record the provided credentials, and then lock said account because the credentials have clearly been compromised and the user is now known to be making use of a banned app.
It’s also the case that, of the major cloud providers, one of them is quite notably poor at securing its own systems. If I were a company that cared about security, I would not want Microsoft holding credentials to my system.
My bank isn't end to end encrypted either, but that doesn't mean it's suddenly ok for Microsoft (or any other company) to suddenly start MITMing my online banking connections.
I am talking about the fact that the new default email client on Windows will hand over all your email credentials to Microsoft. This has nothing to do with Gmail.
Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.
>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.
yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.
I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.
It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.
I bought a hardware password manager a while back and the bulk load tool sent all your creds to a cloud service. I have not used it since, and sent the manufacturer a nasty note.
>I would expect such a feature to use end-to-end encryption for the data
How would "end-to-end encryption" when such features by definition require the server to have access to the credentials to perform the required operations? If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit".
Use our new open source (modification and redistribution not permitted) app to exchange end-to-end encrypted (from your client to our server) messages with your friends! Having all your data on our service protects your data sovereignty (we do not provide for export or interop) by guaranteeing that you always have access to your full history! Usage also protects your privacy (we analyze your data for marketing purposes) by preventing unscrupulous third parties from analyzing your data for marketing purposes.
If we had competent regulators this sort of blatant willful negligence would constitute false advertising.
Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.
The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.
I think the curl -u switch just requires the password field to be filled, there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server.
>I think the curl -u switch just requires the password field to be filled
Yeah you're right, if you don't specify the password (eg. -u user), it prompts you for it
>there obviously isn't a legit user account test@example.com with a password of password either at microsoft or at the Japanese imap server.
But presumably the fact it's there at all suggests it's a required parameter? Maybe "password" is just a placeholder, but it's unclear based on the command line transcript alone.
Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.