Comment by whoopdedo
2 years ago
No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?
2 years ago
No, they only have a Oauth bearer token that lets them impersonate you to the IMAP server. But it's not your password so that's cool, right?
For Google and Apple at least, wouldn't you get a message saying that a new device has attempted to connect, asking you to confirm?
No. The dirty secret is that OAuth tokens, JWTs and whatnot are just as bad as passwords and cookies in terms of credential theft, the difference is only in built-in expiration and scope.
But would you not get a "A new device has accessed your account" warning? Or it that skipped because the token is already validated?
2 replies →
So just like every other connected app, right?
How are they supposed to access the emails without some sort of token?
Wouldn't it just use the credential from client to directly connect to the service instead of going client->msft->server?
You need a token to authenticate, but the client software (Microsoft here) doesn't ever need to send that data to themselves to successfully auth.
Sending themselves the auth credentials does allow them to then use it on their servers in ways that your client device may not want to (e.g., excessive battery drain) or can do (loss of network). But it then also allows them full access anytime they want and complete control of your data for whatever they want.
> But it then also allows them full access anytime they want and complete control of your data for whatever they want.
95% of people use webmails from Google, Microsoft or Yahoo. They already have complete control.
Sure, Microsoft should make it much more clear what is going on with the passwords and cloud email, but all things considered, nothing really changed for 95% of people.
And if you don't trust Microsoft with your email, but are using this Microsoft mail app on Microsoft Windows, well, that's again weird.