return to table of content

Windows 11 Update 23H2 is stealing users' IMAP credentials

return to table of content

Windows 11 Update 23H2 is stealing users' IMAP credentials

return to table of content

Windows 11 Update 23H2 is stealing users' IMAP credentials

return to table of content

Windows 11 Update 23H2 is stealing users' IMAP credentials

return to table of content

Windows 11 Update 23H2 is stealing users' IMAP credentials

Enderboi
37 replies
12h34m

As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.

Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actuallymakingthe connection.

Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!

Cloud-first, in all the wrong ways. It's supposed to be a local app..

Fischgericht
11 replies
11h52m

Spot on.

I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?

This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...

hulitu
8 replies
9h27m

I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?

If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.

yorwba
2 replies
8h49m

The big logistical problem is: How do you select which newspapers to pay?

All of them? Now you've announced that you've got something to hideandare trying to to pay off newspapers to hide it. One of them is going to decide that this story is too juicy not to publish.

Only those that find out some other way and ask for comment? Well, in this case Microsoft didn't reply toc't Magazin's request for comment before publication...

hanselot
1 replies
3h30m

Just one or two probably. One right and one left wing publication.

One side writes a piece, something like: "How the new Outlook saved my {insert protected class}", another one on the other side something like "New Microsoft Outlook uses your mail credentials to steal your DNA via nanosites because Bill Gates wants access to your children."

And then the rest of the media pick it up from there, spin it in their respective direction, receiving their generous donations from one of the numerous MS foundations that funnel money into these places, based on how damaging their puff pieces were.

Now nobody cares about the problem anymore because they are too busy fighting each other.

BobaFloutist
0 replies
56m

"How the new Outlook saved my LGBT" "How the new Outlook saved my Woman" (Hey, this actually parses! Though not in the intended way...) "How the new Outlook saved my African American" (ok, this is getting troubling) "How the new Outlook saved my Christianity" (The first article I'd actually read) "How the new Outlook saved my Age" (big scope!) "How the new Outlook saved my Ex Serviceman" "How the new Outlook saved my Disability"

close04
1 replies
5h49m

MS (and other enterprise big tech) gets laws in their favor in the EU because the EU has no solid alternative to MS. There is no EU based big cloud provider with similar capabilities, software ecosystem, integration, nobody offering a comparable office suite, familiar operating system with legacy compatibility, collaboration platform, etc.

Even when you have solid competitors for individual components, the whole package is hard to resist. So they're stuck with MS for the moment, and slowly get absorbed in that ecosystem making it even more entrenched. But MS doesn't need to pay to get the law, they just have to let EU companies try out alternatives until they go back to being slowly boiled with MS. The EU is looking for excuses to excuse MS because everyone decided the price we all know now is worth paying to get access to a full ecosystem that fills all other needs.

Effectively the EU is "paying" MS to stay, not the other way around.

c4mpute
0 replies
3h15m

It is even worse.

MS doesn't need to do anything. They don't need to pay anyone off. EU bureaucracy is extremely strongly wedded to MS products like Windows, Office, Teams, Outlook etc. As are all EU national bureaucracies and public institutions.

There are firm opinions by e.g. the BSI (German IT security office, comparable to something between NSA, mostly NIST, DHS and ANSI) and other equivalent European national offices that it is practically impossible to operate modern MS products securely. E.g. there are guidelines from BSI like "we know that in that exact version (which is years old, because the guideline took ages to write) you need to set the following registry keys to prevent data exfiltration. Btw. this won't help you, because you also HAVE to upgrade within a few weeks of each available update". There are firm opinions by multiple European data protection offices that basically say the same about GDPR compliance in MS products. Practically impossible to achieve, there might have been that one configuration, "Once upon a time of writing the report, with that specific version of Windows and Office, when firewalling off half of azure, setting those 300 registry keys, manually deleting the following files, illegal telemetry could no longer be observed. Also, you are obliged by GDPR to follow good practice and update regularly, so good luck with that...".

Basically it is illegal to process any personal data using MS products in the EU if the processing system has any kind of outgoing internet connection. All the bureaucracies ignore this systematically, citing the "impossibility" of working without said MS products. Migration plans away from those illegal processes are regularly cancelled, ignored or never completed. MS is free to do whatever it wants, they are never really investigated, fined or held to any laws.

Meanwhile, other big IT firms like Meta, Google, Twitter/X and lots of others are held to far higher standards. Where tons of your local government's data about you like tax report, criminal records, school records and similar things are subject to being exported to the US via Azure, MS telemetry and what not. With FAANG there is complaining about comparably laughable stuff like "well, that IP address that Google Fonts could observe...".

The problem, why this doesn't change, is that the local government institution is responsible for their data processing (according to GDPR and other laws), MS being only their contractor. And those government institutions are usually (in almost all EU states) free from GDPR and other penalties, and those penalties would be left-pocket-to-right-pocket anyways.

This is why MS gets a free pass on everything. Imho this must end.

martin_a
0 replies
4h26m

Calling "Die Welt" a newspaper is the problem at hand. It should be labeled as yellow press, but yeah...

hutzlibu
0 replies
4h32m

Why even pay newspapers, when most do not understand the problem anyway, so do not want to read about it?

Microsoft is already taking so much data, I would have trouble to explain to the layperson, why this incident is worse, than all of the other shit they are doing.

generic92034
0 replies
5h6m

The parent's remark was about US media. Hardly "some newspapers" to pay, and how does the EU come into play here?

vasdae
0 replies
6h59m

They have been doing this for years. The mobile outlook app has had microsoft servers check for mail on the user's behalf since forever.

Enderboi
0 replies
11h38m

We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P

Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology"actuallymeans "This is no longer really a local IMAP client".

vladvasiliu
3 replies
4h6m

Cloud-first, in all the wrong ways. It's supposed to be a local app..

It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".

Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.

But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.

Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.

mattgreenrocks
2 replies
3h54m

New Outlook, which forgot to notify me that I had a meeting coming up despite having notifications set for it.

In a corporate office environment, that’s one of its two jobs.

PascLeRasc
1 replies
2h28m

New Outlook also fails at its second job for me, it won’t fetch email unless it’s the active window.

vladvasiliu
0 replies
2h19m

I wonder if this related to the Edge feature of "freezing" tabs, since New Outlook is clearly an Electron-like contraption, but I think they're supposed to use the Edge Web Views instead of shipping their own electron runtime.

At least it doesn't crash. At one point, it used to just die on me. They've also fixed the window decorations and ramdom icons in the left toolbar, which used to become weird on mouse over.

There's also something else odd going on with the app. When I start it from the start menu, there's a very long lag between my pushing enter and the start menu going away. This happens every time I start outlook after a fresh boot, but doesn't happen with other shitty apps, like New Teams. For those, it disappears right away, even though the app doesn't start up instantly. It doesn't matter the order in which I start them, nor if I only start Outlook after the machine has been running for a while.

reactordev
3 replies
9h56m

Curious why they are making the connection on your behalf. Could it have anything to do with LLM’s? Either way, if I were IT, I’d be livid.

hedgehog
2 replies
7h16m

It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.

oefrha
0 replies
6h1m

It’s quite amusing to read all the clueless comments acting as if this is some Microsoft invention, from people who apparently haven’t read up on the state of MUAs for the last two decades, if ever.

Tijdreiziger
0 replies
4h5m

Depends very much on the client. Samsung Email is atrocious, but Apple Mail works great (and I think they’re both local clients).

patrakov
2 replies
10h13m

Do not firewall them off. Serve different content and break functionality in a self-explanatory way (i.e. an email that tells what's wrong).

martin_a
1 replies
4h24m

This is nothing user-facing. Microsoft will run that in the background, firewalling it off breaks it, so they'll have to act.

__david__
0 replies
1h26m

The emailsareuser facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.

mnw21cam
2 replies
7h7m

You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.

dtech
0 replies
6h45m

The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.

* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.

bogantech
0 replies
6h49m

As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone

Why would they? The users can do whatever the hell they want with their credentials

agilob
2 replies
3h50m

Limit Azure connections to 500 b/s. Make them wait and keep slowing moving connections active.

PinguTS
1 replies
3h29m

And you still having your users complaining to you not to Microsoft.

agilob
0 replies
3h5m

but at least MS is paying the bill too

junaru
1 replies
5h55m

firewall azure ranges

This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.

This will generate tickets for you and you will direct them to use plain local IMAP clients instead.

This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.

layer8
0 replies
4h47m

Microsoft has been doing this for many years for mobile Outlook, so it seems to work well enough (unfortunately).

jeroenhd
0 replies
3h42m

You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).

It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.

blackoil
0 replies
3h52m

Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.

I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.

ale42
0 replies
5h57m

Is MS sharing the list of IPs to firewall, somewhere?

HeavyStorm
0 replies
19m

Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).

New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.

Whoever made the decisions on this should rethink their career.

Elucalidavah
0 replies
2h42m

Cloud-first

Well, IMAP is already "cloud-first" by itself; so this is "cloud first and second", also known as MITM.

93po
0 replies
2h51m

My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot

reddalo
31 replies
7h40m

What's left now, for Windows users? I think the only solution is Thunderbird

squarefoot
8 replies
6h54m

Claws Mail: powerfulandlightning fastand100% multi platform native code. (MacOS too but has to be built or downloaded elsewhere)

https://www.claws-mail.org/downloads.php

There's a small command line tool around (can't recall the name, sorry) to convert message bases and contacts from Outlook format so that they can be imported into Claws Mail. I once did that at a workplace where they were having all sort of problems with Outlook and a fairly big mail archive and saw people dropping their jaws when looking at the difference in search speed. Give it a try.

vasdae
7 replies
6h47m

Claws is GTK+, so it's not native.

phendrenad2
3 replies
6h32m

Actually, on Windows GTK uses native widgets.

vasdae
2 replies
6h19m

No, using DrawFrameControl et al does not make a widget native.

lifty
1 replies
5h42m

What is native these days? They seem to have a new UI toolkit every 2 years.

cesarb
0 replies
3h8m

The only native controls on Windows are the classic Win16/Win32 controls, accept no substitutes (not even that new-fangled comctl32 thing).

Narishma
1 replies
3h31m

Is Outlook even native these days?

heffer
0 replies
2h6m

Cloud Native, the only type of native that matters these days ;-)

tux3
0 replies
6h31m

Native code, not native UI (whatever that means, these days)

ynik
7 replies
6h21m

Stop using Windows. It is foolish to assume that any data on a Windows machine can stay out of the Microsoft cloud.

E.g. Microsoft Edge on first launch can import bookmarks+stored passwords from Firefox (AFAIK without any user interaction, unless I clicked without thinking), and it also defaults to uploading this data to the Microsoft cloud (unless you're using a local account?).

hospitalJail
4 replies
4h13m

Yep, I finally made the cut after they by default hijack your filesystem to onedrive. They can literally delete offline files.

I was utterly shocked to find Linux Desktop has more uptime than Windows. Windows forced updates caused so many issues dealing with autosaves, I was spending like 5-10 minutes per day reopening all my programs for work.

Those random linux annoyances you need the terminal for? I had like 1 or 2 of them during month 1, solved faster than a single Forced Windows Reboot. Fedora been flawless 5 months later.

The only terminal work I do is opening ports for my kid's games. It really is the year of the Linux Desktop. Its utterly shocking to me I'm saying it, I was a hater for so long.

trelane
2 replies
3h49m

Those random linux annoyances you need the terminal for?

Generally, if you want hardware that you don't have to fight, the only option is to buy computers with Linux preinstalled, with support. Modern computers are sufficiently complicated that they really only can support one OS. And, for consumer hardware, they even half-assthat.

hospitalJail
0 replies
3h7m

It was that Fedora didn't have some video codec that reddit used.

I googled it, it was like copypasting 2 or 3 commands, then I could watch reddit videos.

I can't remember the other bug, it might have been an ID10T error.

Can't even blame Linux for that, I have to install way more stuff to make Windows work out of the box. Fedora weirdly has lots of stuff already installed.

bogwog
0 replies
2h43m

That's not accurate.Mosthardware works out of the box with zero config on all the major distros. There are always some machines with unsupported hardware of course, but it's more the exception than the rule nowadays. This is especially true if your hardware is at least a year old.

I would say that "Generally", it's not a thing you need to worry about. If something isn't working, it's probably a configuration issue on your side. The easiest way to avoid that is to pick an immutable distro like Fedora Silverblue, Suse MicroOS, and soon Ubuntu Core Desktop. Combine that with Flatpaks, and you pretty much never have to touch a terminal or worry about a broken system.

jofla_net
0 replies
1h16m

I couldn't believe how much better the GUI had come in years as well. Around 2020 i tried a new work laptop with Ubuntu and was blown away. Without any fuss google meet worked in FIREFOX with full webcam audio support on a dell xps. Just to compare I went to the ms teams site, and of course it couldn't even get off the ground with firefox. "your browser isn't supported." it was obvious MS was/is crippling it artificially, and then it dawned on me, i just had my year of the linux desktop.

acidburnNSA
0 replies
2h8m

I use Windows for work because that's what corporate likes. But at home I've been running only Linux on laptops and desktops since 2006. In 2020, I switched my mom's home computer to linux. It's been a joy.

Why does anyone use Windows at home anymore? I guess gaming is still an issue?

InCityDreams
0 replies
2h4m

Stop using Windows.

Er....no? Though i do spend an inordinate amount of time closing as many holes as possible. Unfortunately, windows is ok. The telemetry, ands and other bullshit is embarrassing but the software i run is on windows. Tried Linux, various ones, but I spent more time messing about that (software didn't cut it, drivers were an arse for audio, graphic setup was strange) it was a relief to go back. Linux reminds me of w3.1 and all that memory allocation bollocks just to run a game. I choose my lazy acceptance, combined with 'as much as I can do to protect myself', over beating my head over a whole operating system that doesn't cut it for what i require. I won't entertain macs as i trust apple even less (for being closed).

greyface-
3 replies
7h16m

PuTTY + Mutt? :)

jkaplowitz
1 replies
7h2m

I’ve done myself over the years. :)

Windows now directly offers OpenSSH and a decent modern terminal app, so while PuTTY still works it’s no longer necessary for accessing mutt over SSH from Windows. Also with WSL you can also run mutt locally on Windows within a userland Linux distro like Ubuntu or Debian.

alt227
0 replies
6h11m

This is honeslty my favourite thing about windows in recent years. Now that you can just fire up native windows terminal and type 'ssh user@host.com' it has saved me so much time, and probably downloads for putty have dropped considerably as well.

layer8
0 replies
4h43m

That’s actually precisely what I use. :)

einr
3 replies
6h55m

If, like many of us, you work in an org that refuses to authorize Thunderbird or anything else for IMAP+Oauth2 to Exchange Online then there are no other solutions. Outlook is e-mail, e-mail is Outlook.

layer8
0 replies
4h43m

You don’t have to use that for your private email though.

jwells89
0 replies
2h12m

The online school I’m attending is like this with its email. My options are to run the Outlook for Mac desktop app (which oddly seems to be a different beast than “new” Outlook on Windows) or keep Outlook webmail open in a tab. Not even Apple Mail via its Exchange support is permitted.

I ultimately landed on keeping the desktop app open to reduce browser clutter and for the icon notification badge so I don’t miss any important emails.

AnonC
0 replies
2h45m

This is what is so annoying with companies these days. Microsoft has them by the #%!!$ and they’ll continue taking all the productivity loss and other risks just so someone can check a box and say “We trust in Microsoft to manage this, and we’re off the hook.”

There are solutions like the Owl extension for Thunderbird, but that’s for the adventurous ones who want to take risks.

tuetuopay
1 replies
6h29m

I switched to Mailspring a year or two ago and am very happy about it. It's based on electron so here be dragons, but does the job quite well. It's simple and basic and no fuss while not being an eyesore. Basically, a clone of the Mail app on macOS.

thedanbob
0 replies
4h40m

I've tried to use Mailspring a couple of times on Linux but apparently server syncing is still broken after 5+ years[0]. Until it works reliably I'm stuck with Thunderbird.

[0]https://community.getmailspring.com/t/disappearing-emails-de...

KronisLV
1 replies
7h19m

I think the only solution is Thunderbird

Some while ago, there was a bit of backlash over their re-design, but after actually using the more recent versions, I have to say that they did a good job - you can toggle the display density of the UI elements and it's still a good mail client with reasonable performance and usability.

I can even sign e-mails with OpenPGP and did you know that it also has a built in RSS feed reader (a bit clunky, but having news sites/blogs be a folder that's right next to my e-mail accounts works brilliantly well)? In addition, I have it both on my Windows and Linux machines, surprisingly consistent across the board.

Honestly, I couldn't be happier. Maybe also Roundcube hosted on VPSes for my own development mail servers when I don't feel like adding bunches of accounts to Thunderbird, but it's really nice that there's software like this out there in the first place!

soco
0 replies
4h29m

My favorite RSS reader is Feedbro in Firefox, maybe on the minimal side but exactly what I need.

layer8
0 replies
4h44m
l_nk
0 replies
3h27m

I use eM Client and I recommend it. It works super good, no issues with GMail calendar, Exchange server or any other weird quirks like Thunderberd (used to) have.

The disadvantages are that its paid (one time payment) and Windows only (no linux version).

vasdae
20 replies
8h45m

It is not stealing anything because you get a dialog asking you for permission to do it. If you give someone permission to take something, they are not stealing it.

https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...

logifail
8 replies
8h34m

It is not stealing anything because you get a dialog asking you for permission to do it

That dialog talks about sync but notably does not mention credentials at all.

Surely this is instance where informed consent is needed, with full disclosure of what's going to happen.

Something along the lines of: "this means your IMAP username and password will be passed to Microsoft where we will store it indefinitely so we can regularly log into your IMAP server to sync your messages".

Of course, users are less likely to consent if you explain exactly what's going to happen...

oaiey
7 replies
8h16m

That is IT understanding but legal wise, I think, they are good with the informed consent on the use case. Distasteful, but fine.

veqz
2 replies
8h3m

It is not informed consent if people don't understand what is happening, though.

oaiey
1 replies
3h29m

Well, they consent to the fact that data is "synced" to Microsoft. That is the use case and the consent-able item. The password is just a random property of that item. And that is literally on the screen. That is broad but that is how privacy topics are generally handled.

I also do not like it.

gpvos
0 replies
2h44m

If the data includes credentials but that isn't explicitly mentioned when asking for consent, I seriously hope that won't hold up before a judge.

zelphirkalt
1 replies
8h9m

I am not so sure about that. Are they allowed to simply assume "expert" knowledge?

c4mpute
0 replies
1h36m

No, they are not. GDPR notices (which this is) must be understandable to the layman. Including all consequences like "this will also allow access to other services secured with the same university/company-wide password".

This could also be a punishable crime in Germany:https://www.gesetze-im-internet.de/stgb/__202c.htmland other articles around that one.

nolok
1 replies
7h5m

I genuinely don't understand how you can come to this conclusion.

If I open the door to someone and allow them to take picture inside my house, there is no legal understanding that they are now allowed to make and keep a copy of my keys.

The understanding is that I allowed to take the picture (make the sync), through the access that I gave (door opened / imap connection made). And the underlying understanding is actually that I remain in control of access later on, meaning they can't do it again without me opening the door / connecting again.

Microsoft knows that, because they buried that information inside the webpage that the consent dialog links to, except the dialog doesn't say "important detail there" but "for more information see there" aka pretend the dialog's summary is correct.

If anything, coupled with the awkward Outlook (but not Outlook) naming this is one more of their modern move that will piss off entreprise IT admins. Your employee opens the "wrong" outlook, type his office credentials and then Microsoft now has outside of your corp account a copy of all data of that employee AND its credentials. If there was any actual real competitor in their field they would never be able to pull such crap.

oaiey
0 replies
3h18m

Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".

And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.

I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).

Fischgericht
4 replies
6h49m

At least in the EU it is.

Explained in detail, here.

https://gdpr.eu/gdpr-consent-requirements/

Consent must be specific, informed, freely given and unambiguous. The user must be able to revoke consent at any time, as easy as it was providing the consent before.

Very clearly the Microsoft "consent" info does not tick any single one of those items.

Illegal.

Fischgericht
3 replies
6h31m

Or, in other words:

There is much to criticize about the EU. But where the US has brought the world "By farting during installation of this software you consent to us stopping by and taking your first born child" kind of EULAs / "choices", EU's GDPR is forcing big tech to treat humans as humans again (instead of just data).

deaddodo
2 replies
2h16m

I don't know why political entities are brought into these conversations other than for some sense of high-horsedness or a figurative pissing contest.

GPDR is good. So is CCPA, COPRA, etc. Meanwhile, both the EU and the US have plenty of predatory legislation that allows companies to do all kinds of fucked up things.

paledot
1 replies
1h30m

Because nuance is valuable? "GDPR is good" doesn't remotely address its strengths and failings, nor the conflicting incentives and motivations that produced it.

I agree that there's no room for home-team mentality here, but we should absolutely assign credit and blame where it's due, especially when those of us who don't live in a jurisdiction with such a law gain some halo-effect benefit.

Fischgericht
0 replies
24m

My comment wasn't meant as a pissing contest. It's not me who has created GDPR, I did not have a choice of getting born in the EU, it just happened :)

But I am pretty impressed that in these days where most regulations for pretty much everything are defined by lobbyists, GDPR actually did happen, ended up to be a very reasonable set of rules, and actually gets enforced. It was written well, and unlike with other regulations it's not full of loop holes.

Laws and regulations created to the sole benefit of your general population is just something you can't take for granted these days anymore. Therefore, for me GDPR is kind of magic.

tzs
0 replies
3h24m

It is not stealing anything because you get a dialog asking you for permission to do it

Also, at least according to several comments on nearly any story about movie piracy, it is not stealing because all they have done is made a copy.

pacifika
0 replies
8h13m

Is it asking for informed consent for a change when the ui encourages and defaults to not keeping the system quo

jsiepkes
0 replies
8h0m

The dialog talks about needing to synchronize your email account. It then goes on to tell that contacts and events are not synchronized. No one will reasonably suspect your authentication credentials are send to Microsoft. Such reasoning of this dialog will never fly in a German court.

falqun
0 replies
7h23m
estiaan
0 replies
6h49m

I disagree. I think that you can’t consent to something you don’t know about and certainly not something you don’t understand. This includes every single eula that everyone agrees to without reading. In my opinion that is not an agreement, as an agreement requires informed consent.

Unfortunately our legal system strongly disagrees with me but that’s my two cents

bald42
0 replies
7h16m

When I saw that I immediately cancled my the "new outlook" tryout and wrote in the feedback form I don't want my mails in the microsoft cloud.

martinald
20 replies
15h41m

"Although TLS protected, the data in the tunnel runs to Microsoft in plain text". What? Not sure if this is a mistranslation but this makes absolutely no sense. TLS is encryption. Why would they further encrypt it "in the tunnel"?

Fischgericht
16 replies
15h20m

What they are talking about is that your passwords are uploaded via HTTPS/TLS, so an encrypted connection, but what they are sending are you full passwords in plain text over it.

https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...

quietbritishjim
15 replies
12h14m

For IMAP to work you need the original password, not e.g. a hash.

Once you've decided to send the actual password, whether wise or not, the best you can do is encrypt it, and TLS does that.

What else would you expect?

yjftsjthsd-h
3 replies
9h36m

What else would you expect?

I would expect user credentials to not be uploaded without giving an extremely explicit explanation and receiving informed consent from the user.

alt227
2 replies
6h9m

Also, the credentials have to be stored in plain text. M$ servers cannot auth with your IMAP host with a password hash, so they must be saving the plain text password somewhere which seems absolutely crazy to me.

thiht
0 replies
2h31m

No, that's just wrong. They can store these credentials encrypted with algorithms such as AES-256. No need to store them in plain text.

This is actually standard security practice when you absolutely have to store a key in a way that you can use it later, such as a password or an API key.

AlexandrB
0 replies
2h33m

Next time there's a data breach at Azure, there will be fireworks.

magicalhippo
3 replies
11h46m

I would expect them to at a bare minimum encrypt it using a temporary public key before transmission, in case TLS connection was MITM'ed, and I'd expect them to use those fancy hardware security modules (HSM) they have[1] to protect it on their side.

[1]:https://learn.microsoft.com/en-us/azure/key-vault/managed-hs...

weikju
1 replies
10h7m

It doesn't matter how well they protect it, they still have the credential, and they decrypt it in order to be able to use it, so for all intents and purposes, it's in the clear _for Microsoft_ (and whoever else manages to have access). This is not how it should be.

magicalhippo
0 replies
7h42m

Obviously, and this is something they should communicate clearly.

But if they were to provide such a "service" I'd expect them to minimize exposure, including the steps I mentioned.

magicalhippo
0 replies
7h41m

I was tired and forgot to add they should first check if the IMAP server supports XOAUTH2, and in that case require that to be used.

Still not a great solution but at least not passing the password around.

xorcist
1 replies
9h33m

IMAP supports a multitude of authentication standards, including hash and key-like, so the above is not necessarily true, however it is unlikely that Outlook supports them.

Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.

In the cloud first era, your value is derived from how much customer data is under your control. Not for resale primarily but for stickiness. It's like the dot com era, only for real this time.

lxgr
0 replies
3h20m

Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.

How? Outlook could just ask you for your certificate (+ private key) and upload that.

steve1977
0 replies
8h36m

I would expect that my local e-mail client is making the connection to my IMAP server. Not a connection to Microsoft servers which then in turn connect to my IMAP server.

nhinck2
0 replies
12h2m

I would expect Microsoft not to be on the receiving end of my plaintext password.

fulafel
0 replies
11h51m

Another reason to use something else than passwords with IMAP for authentication.

dahauns
0 replies
6h49m

Once you've decided to send the actual password,

Butyouhaven't. Microsoft has decided that for you - without telling you.

The more I think about it - that's not even just a GDPR issue, it's blatant malware behavior.

Fischgericht
0 replies
11h56m

TLS is only transport encryption. The password will be transmitted in clear before and and after that transport.

This is not at all comparable to other "store my passwords inside the cloud"-systems, where the passwords are encrypted and decrypted on the users' devices, without the encryption key going to the cloud provider - that's the way it's handled in Password Managers, Chrome Auto-Fill etc.

And I would expect Microsoft asking the user for explicit consent "May we take your IMAP password and transfer it and store it in our cloud?" in easy to understand wording so people understand the consequences (for example getting fired for having punched a gapping hole into your employers security policies like "Don't share this password with anyone")

That expectation would match the law in the EU.

And in addition, inside the EU it would also have to guarantee that the password will only be stored on servers inside the EU, and not end up, for example, with the NSA. And even then it still might not be legal.

And from a user's perspective: Certainly a big chunk of users that have been using email software for the last decades would assume that an email client installed on your PC is doing the IMAP access locally. There is no need for your IMAP credentials to go to Microsoft. Merging your local mail store from multiple sources inside the client is what email clients have been doing for the last 20 years. There is absolutely no need to move this to the cloud. Yes, my computer can handle merging email folders.

montjoy
1 replies
3h31m

It’s encrypted between the starting point (Microsoft) and your ISP. Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.

martinald
0 replies
1h59m

Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.

I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt itagainon the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password

FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Nowthatis a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.

bravetraveler
0 replies
15h5m

Transit vs rest, maybe?

I suppose they'd prefer it be not transferred at all, but if it were... to be bundled up safely[for storage]before exfiltration

rrrix1
8 replies
11h3m

My magic crystal ball just showed me that they're going to use your email for training AI models.

They're just trying to catch up with Google in any and every way they possibly can, users trust, privacy and security be damned.

steve1977
4 replies
8h38m

I don’t know about this. Microsoft would already have a huge body of e-mail to train on with Microsoft 365 and outlook.com if they wanted to I guess?

integricho
3 replies
7h22m

Yes, but mostly internal corporate emails, stretching back decades, with most of the content about how to violate user privacy using various sneaky schemes. I wonder what kind of A.I. would result from training on such content.

alt227
1 replies
6h13m

Microsoft have run hotmail/outlook.com for decades.This is a service used by hundreds of millions of people, I would guess mostly non corporate. I think they have more than enough personal email data to train on if they wanted to.

steve1977
0 replies
5h51m

This. I would gather it’s one of the bigger free mail services after Gmail, at least in the western world.

steve1977
0 replies
5h38m

I mean the mails of all their Microsoft 365 customers. Which at least where I live is the majority of all businesses.

dahart
1 replies
1h51m

Does the crystal ball say anything about what’s going to happen if Copilot or Bing start revealing non-public information to anyone who asks? It’s bound to happen if they train on non-public information. Imagine Microsoft accidentally releasing other companies’ corporate strategies and proprietary internal tech, or people’s personal finances and private social interactions. I would foresee both major litigation and government regulation coming down pretty hard. I would also expect a dramatic migration away from the product if something like that came to light. I honestly hope they’re smarter that this- training on data without explicit permission is already one of the biggest problems with AI efforts.

oxygen_crisis
0 replies
1h21m

You use public data only for your external-facing products like Copilot and Bing.

You use all data, public and private, for your in-house skunkworks LLM-AI used by vetted, NDA-bound staff and execs.

Bing won't be able to answer questions like "What are the monthly active user counts for CoolService LLC?" or "What are the manufacturing processes used at Gadgetmaster International?" but maybe DarkBing will.

Even if LLMs aren't good enough to deliver those answers today, they might be in five or ten years, and in the meantime you want to fill the pool of data you're going to feed it.

Cynical speculation? Yes. Eventually possible? Maybe...

mcint
0 replies
9h51m

Catch up? This is an attempt to re-claim, or solidify, monopoly.

einr
8 replies
8h24m

1. Embrace (Sure, Outlook supports SMTP and IMAP! Kinda.)

2. Extend (New Outlook supports IMAP, but only in the sense that we copy all your stuff to our Cloud) <--- We are here

3. Extinguish (We are deprecating support for legacy e-mail protocols, but it's okay because all your old stuff is in M365 anyway)

The dream of decentralized e-mail based on open standards is dead.

bogantech
3 replies
6h10m

Definitely scummy behaviour but it's funny how someone always has to bring up EEE and try their hardest to contort whatever the subject is to fit within that definition.

Back in my day we just wrote Microsoft with a dollar sign for an S

einr
2 replies
5h52m

Do you really think this is a particularly try-hard contortion?

deaddodo
0 replies
2h7m

Microsoft has supported IMAP for decades. And, even today, they're nowhere near the top of the heap in email control.

So what exactly is the goal of their master plan? They stop using IMAP for their Hotmail and Outlook.com accounts? Big whoop. The mass of people on Gmail and icloud.com/me.com services will just download one of a dozen other apps. And then just slowly stop using the outlook required accounts; unless mandated by their companies/corporate offices, wherein they just run two clients.

EEE was a policy Microsoft had when it gained monopolistic position in a field. It's misguided and inaccurate to try to apply it here.

bogantech
0 replies
5h47m

A mail client supporting IMAP from the beginning, and then waiting almost 30 years to move on to step 2 of their evil plan? yeah I'd say so

varispeed
1 replies
6h39m

Wait for "Microsoft would never!" brigade...

oblio
0 replies
3h7m

No, it's just that the Halloween Documents are now obsolete, not because Microsoft is kind.

It's because there are newer and better sharks out there, and you guys haven't caught up to the last 1-2 decades.

For example:

https://www.demandsage.com/gmail-statistics/

HPsquared
1 replies
6h29m

Funny how all the antitrust stuff melted away in recent years. It's almost as if the parties involved see that their interests are aligned.

contravariant
0 replies
6h13m

I mean it's easy to claim your actions don't hurt your competitors when you haven't got any.

deafpolygon
8 replies
11h32m

Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.

Doesn't make this any better- but before you worry that MS has your Google account password, they don't.

whoopdedo
6 replies
9h53m

No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?

mrweasel
4 replies
9h24m

For Google and Apple at least, wouldn't you get a message saying that a new device has attempted to connect, asking you to confirm?

mschuster91
3 replies
8h53m

No. The dirty secret is that OAuth tokens, JWTs and whatnot are just as bad as passwords and cookies in terms of credential theft, the difference is only in built-in expiration and scope.

mrweasel
2 replies
8h28m

But would you not get a "A new device has accessed your account" warning? Or it that skipped because the token is already validated?

mschuster91
0 replies
8h14m

No. A bearer token (which almost all credentials are) doesn't say anything about the device that is using it.

Thesoleexception are tokens tied to a device's HSM (TPM, Secure Enclave, TrustZone, ...) - you can't clone these onto another device.

ETA: to expand a bit... passwords, SSL client certificates, JWTs, tokens generated after a SAML assertion, they are all fungible bearer tokens. A server has no way of verifying if what is presented to him is originating as an intentional act of a user, or if a malicious third party has duplicated the token somehow and is using it from somewhere else. An attacker can act just the same as the user themselves can. A HSM-backed token, i.e. having the server send a preflight challenge value, and the client HSM signing that challenge together with the token to send back with the actual request, at least proves that the request originated from the device expected to be in control of the user. However, such a scheme comes at a high cost - the user needs to be in possession of a capable device, the HSM needs to be secure, and doing preflight requests to obtain the challenge adds considerable latency.

dist-epoch
0 replies
8h6m

I didn't get such warning when I connected Outlook to my Gmail.

But I had to click accept on the Google form requesting my permission to grant Outlook access. So I was informed when the app was connected.

I'm not sure how you would count "new device", since that token is going to be used by a random Microsoft cloud server, potentially different every time.

dist-epoch
0 replies
8h8m

So just like every other connected app, right?

How are they supposed to access the emails without some sort of token?

mrweasel
0 replies
9h25m

While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.

It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).

febeling
6 replies
5h48m

You wonder what needs to happen that would make people stop using Windows.

switch007
4 replies
5h0m

Shouldn't be too hard:

1. Remove it from schools so kids don't grow up used to it

2. Stop it being bundled with new PCs

3. Get companies to stop using Excel

4. Convince gaming companies to stop making first class support for games for Windows

5. Make all existing important software and games work just as well on Linux

6. Get NVIDIA to make Linux a first-class citizen

antx
1 replies
4h19m

Surely you are being sarcastic?

lostmsu
0 replies
2h29m

The only sarcasm there is the first line.

hospitalJail
0 replies
4h10m

3. Get companies to stop using Excel

Libre Office is just... not there. Something is seriously wrong with it.

Anyway, Linux Desktop is ready for the mainstream. I can typically get away with Google's suite for Office. All of my workflows work fine with Linux, and I have hobbies from 3D printing to electronics to writing to creative work.

RamblingCTO
0 replies
3h54m

I use Excel on my mac just fine.

jwells89
0 replies
1h59m

For most users, it’d be nearly perfect, hiccup-free compatibility with Windows software and a desktop experience that is identical to that of Windows wherever practical so there is no learning curve. In other words, when users can’t tell they’re not using Windows.

Anything less won’t move the needle, at least in the short term. People don’t like change and they don’t like thinking about their tools. You see this even with macOS, where switchers only put up with learning because there’s immediate tangible benefits like long battery life and reduced heat/fan noise acting as a carrot, and even then sometimes that’s not enough and they end up falling back to Windows.

yrro
5 replies
6h2m

Isn't this exactly what BlackBerry used to do?

Privacy wise it's distasteful but it does work around a lot of IMAP's problems which still don't seem to have been fixed in the ~20 years that they've been known about...

AshamedCaptain
4 replies
5h21m

There are no such IMAP problems, at least ever since IDLE was a thing (which arguably you could argue may have not been a thing up until the 2010s, even if it's technically from the 2000s).

It's just all political bullshit -- the same reason you can have decent IMAP clients on Android, but you can't on iOS (they have to resort to tricks like this), except if you're Apple.

yrro
3 replies
3h9m

Isn't there still a limit of one watched mailbox per TCP connection?

deaddodo
2 replies
2h21m

Yes. But you're going to have a unique TCP connection per host, at minimum.

Unless I'm misunderstanding the problem you're raising, it seems like a non-issue for the majority of people with multiple accounts (a work email, a Gmail, a hotmail; for instance).

yrro
1 replies
1h39m

A unique connection per host isn't too bad. But I have 12 connections for each of my desktops and laptops and phones and tablets...

As you say the problem is somewhat caused by Apple and Google forcing apps to use their proprietary notification systems so that e.g., mail can be checked while a phone is idling. But the end user does not care about the market abusing power of the monopolies--they wants instant notifications when they receive mail...

AshamedCaptain
0 replies
8m

Google is _not_ forcing, only Apple is. This cannot be emphasized enough.

You can still perfectly have dozens of background TCP connections idling on Android with no issue. The only caution you need to take is to synchronize the keepalives (otherwise the radio may take stay on for too long, hitting your battery life), but this was solved back when Android was still Danger.

As evidenced by the power analysis of IM apps that was here on HN a couple weeks ago, there is no discernible advantage to using Google notifications versus just keeping your multiple TCP connections idling in the background: Conversations is a Jabber client which does the second and was practically the most power-friendly client of the entire Android ecosystem.

dewey
5 replies
3h56m

I thought that's what every email provider does? Fastmail has the same feature where you can provide your credentials and they'll fetch the emails from other providers for you.

jeroenhd
2 replies
3h48m

Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.

The Outlook app for Android does the exact same thing, copying your email to the Microsoft cloud and then serving the emails to your phone from Microsoft's servers.

dewey
1 replies
3h34m

Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.

Is it really? The comments on the original Heise article mention that Heise actually misunderstood it and it's basically just a link to the web interface in the task bar so it's not a local app.

jeroenhd
0 replies
2h20m

I can't see any indication that it's actually a web interface in Microsoft's announcement.

Looking at the Microsoft Store entry (https://apps.microsoft.com/detail/outlook-for-windows/9NRX63...) I don't really see any indication of it being a web app either.

Maybe they're hiding their web app Electron/Tauri style, but I would certainly expect it to be local-only based on the way it's advertised and designed.

matrss
0 replies
3h40m

If I instruct fastmail or another provider to fetch mail from a different email provider on my behalf so that I have it in one place then that is a deliberate decision I make. If I connect to my mail provider via IMAP/SMTP from a local application (Outlook, Thunderbird, mutt or whatever) I do not expect my credentials to be exfiltrated to a third party so that they can also fetch my mail. In fact, I would consider that to be criminal behavior if not VERY clearly communicated, with all it's implications.

iinnPP
0 replies
3h46m

The difference here seems to be transparency.

WhereIsTheTruth
5 replies
6h53m

Microsoft is allowed to do whatever it wants with impunity, including stealing your password and tunneling back to their servers in plain text

Wow, just wow

phendrenad2
4 replies
6h25m

It's not plain text, it's encrypted via TLS

gmueckl
3 replies
5h29m

Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.

Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.

mynameisvlad
2 replies
5h22m

What use would a hash of the password be when the purpose is to log in as the user?

stevemk14ebr
0 replies
14m

You're correct it's necessary for how they use this, to impersonate a user and 'clone' their email data. But then, that is the problem, they shouldn't be able to do this at all.

emayljames
0 replies
4h17m

it is not a hash

randunel
4 replies
8h50m

I've had all my Google Translate posts taken down with the ask to post it in the original language, but this one somehow stays up. Mysterious are the ways of the mods.

yorwba
2 replies
8h45m

The mods need to sleep sometimes.

randunel
1 replies
8h44m

I'm fairly certain they're on different timezones and a 9h span with a front page link has been noticed by several.

yorwba
0 replies
8h19m

I'm fairly certain they're all in the US and this post has been on the front page for only a little more than an hour:https://hnrankings.info/38212453/

Fischgericht
0 replies
6h45m

Wasn't aware of this rule, has been one of my first submissions.

If any mod wants to modify...

Original is:https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...

Deepl-Translated PDF version:https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...

wkat4242
3 replies
14h44m

I'm not surprised to be honest because the 'new' outlook is simply the old office 365 version of Outlook Web Access in an element wrapper. They don't seem to have added local storage or local imap support but they simply sync your mail into their cloud instead.

I wouldn't be surprised if this is a ploy to offer users a 'migration' to a paid office 365 subscription later.

The old windows mail was ok even though it wasn't very full featured.

nolok
2 replies
7h2m

I can't wait for a "Mail" app that can't be properly removed, and keep restarting itself with the computer just to nag you to upgrade from the tray, like they did with One Drive.

j-bos
1 replies
5h8m

Don't wait, leave. Get on an OS that serves you.

boppo1
0 replies
4h18m

This. I hardly understand Linux but I tentatively switched to xubuntu in 2017. Ever since, I only boot windows once every 3-6 months for some proprietary software.

It's an amazing feeling when your OS isn't insisting left and right on behavior you don't want.

flower-giraffe
3 replies
7h21m

When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.

The dark patterns pushing content to one drive from office apps and web access opening attachments and keeping them in one drive is another example of this data grab.

It’s an example of shareholder value trumping customer value, the primary purpose of cloud is to make you pay more without having to provide more in return.

vladvasiliu
0 replies
3h57m

When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.

While I agree with your other points, I'm not sure how this one works. If you're using Office365, you're already having your mail at least go through their servers. What difference does IMAP make to their snooping intentions?

trelane
0 replies
3h53m

seems like a strategic goal to capture our data.

Sure is good they're not an ad company then. /s

2devnull
0 replies
1h5m

The majority seems to like one-drive. In theory having everything in one place sounds great. Few people think long term. Customer value trumps customer value if you ask me. IT departments and clueless users love MSFT and that will never change. Embrace it.

lakpan
2 replies
5h10m

It’sfunnybut anyone who’s ever used Gmail’s “Accounts” tab on its options page, has voluntarily given Google their passwords to keep forever.

Now Microsoft wraps their web UI in a “native” app and everybody loses their mind.

It’s hardlyunusualfor an internet-connected app to be at least partially run in the cloud in 2023. Much less unusual when it’s something related to MS365 and AI (one of the banner features of this new release)

MereInterest
1 replies
4h46m

False equivalence. In one case, credentials are deliberately given for remote use. In the other case, credentials are expected to be used for a direct connection, but are instead taken for remote use.

One is an explicit delegation, while the other is a man-in-the-middle attack.

lakpan
0 replies
3h7m

I don’t think so. Remote or direct is only something we think about. The general user could not care less nor know the difference. Hardly a false equivalence.

HumblyTossed
2 replies
4h47m

What's the difference between this and some of those other email apps like Spark?

microflash
1 replies
2h58m

Spark does the same thing. Infact, many email clients do this, so you may want to read the fine print before using them.

HumblyTossed
0 replies
58m

I know. That was my point. People are in an uproar, but I bet a lot of them use Spark, etc.

Fischgericht
2 replies
18h27m

German IT magazine has uncovered that with Windows 11 Update 23H2 if you accept the "recommended" new version of Outlook the client may be uploading your secret IMAP credentials to the Microsoft cloud.

If you are trying to add a "local" IMAP/SMTP account, there is short notice that Outlook needs to "synchronize" your IMAP account with the Microsoft cloud.

It does NOT explain that what this actually means is that it will send all your credentials including your passwords in clear text to Microsoft.

Microsoft's support document to this also only mentions:

"Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers."

No word that it means that they are uploading your passwords.

This is evil. And at least in the EU, illegal.

I have not yet found any report on this in english-language IT media, and therefore have provided a Google Translate link to the report in German.

jofla_net
1 replies
15h54m

big if true, i mean what a footgun. Imagine the target they are painting on their back, with all those credentials now harvested.

Fischgericht
0 replies
15h32m

Yeah, it's true. c't magazine is the biggest IT print publication in the EU, and is highly respected and known for investigative journalism. It looks like the pictures provided which show what they captured is sent to Microsoft (your passwords in plain text) aren't shown if the page is viewed via Google Translate.

So here is the original page URL:https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten...

And here is the picture that shows what they have captured is sent to Microsoft:

https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/4/3/3/1/...

reportgunner
1 replies
3h46m

Sorry I can't read german but do I understand properly that you give your gmail password to outlook (microsoft) and you are surprised that outlook does whatever it likes with the password ?

dugite-code
0 replies
3h37m

I think it's a surprise that that password is going off device. The default mail app traditionaly and sensibly is a local only client and and "sync" features have not behaved in this fashion in the past.

dinckelman
1 replies
3h19m

To call the "new" Outlook a horrible piece of software, would be an insult to actually horrible pieces of software. They're one tier below that, wherever that is.

The fact that this is acceptable, in their narrow minds, is insane

thiht
0 replies
2h39m

I wonder if Microsoft execs themselves use this crap, and what they think of it

bradley13
1 replies
3h42m

This is the horrifying core issue: "When creating an IMAP account, c't was able to record that the target server, login name and password were being transferred to Microsoft's server. Although TLS protected, the data in the tunnel runs to Microsoft in plain text. Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook."

To be clear: this is for accounts not hosted on Microsoft servers. They likely copy all of your existing mails to their servers, and any future mails sent or received also run through their servers.

singularity2001
0 replies
53m

How is that not a $1 billion fine under European law?

Fischgericht
1 replies
15h19m

I have now translated it as a PDF using Deepl. Much better translation, and you can see the images, too:

https://www.scamp.de/stuff/heise_windows_outlook_stealing_im...

tuetuopay
0 replies
6h24m

thanks. with the screenshot of the json payload it's quite frightening and explicit. they did not even try to conceal it...

znpy
0 replies
7h7m

How is that remotely even legal? That's actively malicious behavior.

secondcoming
0 replies
6h13m

Apple has also started to try to get users to switch to their Mail app, at least on iPadOS. Every time I switch gmail accounts on the web UI in Chrome, I get a popup from Mail asking me to set the account up in Mail.

I can't turn it off.

sampa
0 replies
7h49m

just one word: Linux

pronoiac
0 replies
7h9m

If you have large mailboxes, this would steer you toward paying for cloud storage at Microsoft, which might be a surprising bill to face.

ofslidingfeet
0 replies
2h12m

What do you call an economy where the central establishment keeps stubbornly giving consumers things they don't want?

lifty
0 replies
5h43m

Everything will run in Azure and all apps will be web apps. You can count on that. This is a clear strategy from Nadella and I doubt anything will change his mind.

glimshe
0 replies
7h40m

I only use Knock-OutLook for Microsoft accounts. They have my password already, so no lost security there. Synchronizing email accounts is useful, but I never thought worth the hassle before or after Outlook.

chinathrow
0 replies
5h45m

Who on earth approved something like this at Microsoft?

asmor
0 replies
4h19m

I filed a GDPR complaint regarding this when they released it on Mac, because it is not transparent what data Microsoft stores when you stop fetching email over their Exchange proxy. This was their response, after 3 months...

• How long is mail data fetched from the non-Microsoft server retained? On 31st day of user inactivity we mark the account for removal. The account is soft deleted, and the data is purged within a week (approximately) after that.

• What happens with an account that is no longer being used? Does the service continue fetching and “enhancing” mail data or does it happen on demand when a user opens Outlook? - If the user is not signing into the 3rd party accounts using outlook mobile, Teams for life or Outlook for Mac. We stop syncing any data after 7 days and mark the account for deletion after 30 days.

• How do I know what data the service holds? - Service holds Mail, Calendar, contacts data and profile data for the user (User provides consent to collect this data during add account flow).

• How can I make sure data is no longer retained? (e.g., does logging out from Outlook delete the mail data and credentials?) - When removing the account in Mac you can choose to "Sign Out On All Devices" which deletes the mailbox from the Microsoft Cloud (Exchange-backed mailbox where the third-party account is being synced).

I also filed a complaint about not making it clear if data is required for processing (Article 13, Section 2(e) [1]) - but the supervisory authority ignored me on that one.

[1]:https://gdpr-info.eu/art-13-gdpr/

NOWHERE_
0 replies
10h58m
N19PEDL2
0 replies
6h20m

I installed the new Outlook just a few days ago and I almost immediately started to receive emails like "I recorded you, pay or I'll share your files with everyone" on my customized email address. I thought it was a coincidence but now I am beginning to have doubts.

Kim_Bruning
0 replies
14h43m

This could become a bit of an issue. There's a reason why you're using IMAP in the first place, typically.

Hopefully this doesn't apply to eg. Outlook365 as well.

Aerroon
0 replies
6h13m

Does this mean the new Outlook is actual malware? It's literally stealing your password.

ActionHank
0 replies
2h12m

How else are they supposed to get your emails to train their ai models?

29athrowaway
0 replies
3h30m

Not to mention that Microsoft authenticator seems to be required now.