Comment by deafpolygon
2 years ago
Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.
Doesn't make this any better- but before you worry that MS has your Google account password, they don't.
No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?
For Google and Apple at least, wouldn't you get a message saying that a new device has attempted to connect, asking you to confirm?
No. The dirty secret is that OAuth tokens, JWTs and whatnot are just as bad as passwords and cookies in terms of credential theft, the difference is only in built-in expiration and scope.
3 replies →
So just like every other connected app, right?
How are they supposed to access the emails without some sort of token?
Wouldn't it just use the credential from client to directly connect to the service instead of going client->msft->server?
You need a token to authenticate, but the client software (Microsoft here) doesn't ever need to send that data to themselves to successfully auth.
Sending themselves the auth credentials does allow them to then use it on their servers in ways that your client device may not want to (e.g., excessive battery drain) or can do (loss of network). But it then also allows them full access anytime they want and complete control of your data for whatever they want.
1 reply →
While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.
It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).