Outlook transfers passwords and emails to Microsoft without notifying the user

Outlook transfers passwords and emails to Microsoft without notifying the user

With the launch of Windows 11 23H2, Microsoft debuted the new Outlook. Previously known as One Outlook, the new client brings the management of emails, calendars and contacts under a single umbrella. With the new Outlookthe concept is to deliver a renewed experience to users and unifiedregardless of the platform you use.

Outlook obviously allows you to configure and use more account email, accessible via OAuth or using traditional IMAP and SMTP protocols. The application then gives you the opportunity to use both account Microsoft that addresses emails from other providers, including those of Europen providers, via OAuth or via IMAP/SMTP.

Trying the new generation Outlook, however, we realize a problem that is anything but trivial. A surprise that few probably expected to find.

Outlook, debuted with Windows 11 23H2, steals passwords and personal data by saving them on Microsoft servers

When you use an email client you obviously generate one data exchange, on a periodic basis, between your device and remote mail servers. Some client email they can integrate features for checking and installing updates.

If you set Outlook to use a account Microsoft, it is obvious that the application transfers data to and from the Redmond company’s servers. But why should there be a flow of information between the local system and the Microsoft servers, through the Outlook app, if they only configure them account email third party?

Well, as he ascertained Heise c’tif you set up accounts accessible via in the new Outlook IMAP e SMTPtheir data – including login passwords and message contents – are automatically synchronized on Microsoft servers.

You read that right: emails, calendars and contacts (along with login password) coming from “non-Microsoft” providers are automatically uploaded to the Redmond company’s servers.

Although protected with the protocollo TLS, the data is sent in plain text over the encrypted tunnel established between the Microsoft client and server. Without informing the user or asking for confirmation, Microsoft effectively grants itself complete access to users’ IMAP/SMTP account data.

I OAuth access token However, they are stored on the Microsoft server side, for example even those that allow access to Google accounts. In this case, the user at least has the possibility to cancel them and then arrange for them to be collected.

At this point, it is appropriate to keep in mind the Abnormal behavior of the new Outlook and wait for Microsoft’s responses. The anomaly, among other things, presents itself in the same way on Windows, macOS, Android and iOS.

Leave a Reply

Your email address will not be published. Required fields are marked *