Comment by WhereIsTheTruth
2 years ago
Microsoft is allowed to do whatever it wants with impunity, including stealing your password and tunneling back to their servers in plain text
Wow, just wow
2 years ago
Microsoft is allowed to do whatever it wants with impunity, including stealing your password and tunneling back to their servers in plain text
Wow, just wow
It's not plain text, it's encrypted via TLS
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
What use would a hash of the password be when the purpose is to log in as the user?
18 replies →